SPF
Sender Policy Framework

SPF is a DNS record with information about what servers are allowed to send email from your domain.

When an email server receives an email, it can look up the SPF record for the sender domain in DNS. If an SPF record exists, the email server uses the contents of the record to determine if the email was actually sent from an legitimate sender.

When you set up a new service provider they'll often give you a short snippet, like the one above, that you need to copy/paste to your DNS.

Anatomy of an SPF record

A SPF record is a DNS record of type TXT. The value is the interesting part and it in a simple form it can look like this:

v=spf1 include:spf.mtasv.net ?all

This record will authorize the ESP, Postmark, to deliver emails for our domain (that's the spf.mtasv.net part).

A more complex example could be the following, which is explain in details below:

v=spf1 mx a ptr ip4:1.2.3.4/32 a:substancelab.com include:servers.mcsv.net ~all
v=spf1 mx a ptr ip4:1.2.3.4/32 a:substancelab.com include:servers.mcsv.net ~all
The version of the SPF record. For now only version 1 exists. Servers who are also in the domains MX record are allowed to send email for this domain. The server in the domains A record is allowed to send email for this domain. If present all subdomains of the domain are allowed to send email for the domain. These IP addresses and IP address ranges are allowed to send email. Domains listed here are allowed to send emails for this domain. This adds another SPF record to yours. It is commonly used when using third party services to deliver email. In this example we allow MailChimps servers to deliver emails for our doman. How strict should recipient servers be when a sender doesn't match.

SPF records for domains that send no email

If you have a domain that doesn't send any email, you should still have a SPF record and configure DMARC for it. That way you can protect your domain from being used in phishing attacks and other malicious activities.

Here's an example of a SPF record for a domain that doesn't send any email:

v=spf1 -all

This basically says "fail SPF for all emails".

Guides

Tools

References