Sender Policy Framework, or SPF, is a method through which postmasters can use DNS Resource Records to give hints to other postmasters about what email servers should be sending email on behalf of their domain.
SPF should not be used as a definitive indicator regarding the legitimacy of email or its origination. It is up to individual postmasters to determine how to balance SPF results when developing their spam handling rules. Therefore SPF is not designed to be a strong anti-forgery or authentication mechanism, and SPF can often be easily foiled or misconfigured. Although we welcome suggestions and opinions about its tuning, we do not consider disagreements about that as “bugs”.
What we do instead
We have deployed DKIM, along with DMARC, to work in concert with our SPF records. Combined, all these hints to postmasters make sure that if a recipient email system is modern and well configured, most spam or phishing attempts using the 1Password domain should fail to end up in user inboxes.
We are constantly monitoring deliverability of our emails through a range of methods to make sure that our authentic emails are getting through. We take this obligation seriously and continue to discuss, monitor, and evaluate the state of the art and how we can improve our security further.