An SPF record is basically a DNS record of the TXT type, which contains information about who may send email from your domain. It is used to avoid spoofing and spam.
So how does it work?
Basically, when a (decent) email server receives an email that is supposedly originating from your domain, it will check the SPF record for that domain. That SPF record is publicly readable and states what servers may send email from that domain, and what to do if the server is not listed.
You can specify things like whether the servers in the MX records may send email, or specify specific IPv4 or IPv6 addresses or additional A-record domain names or MX domain names to be included in the whitelist. You can also include an SPF record from another domain to be read and applied.
As for the actions on what to do when a server is not in the list, are things like soft-fail, which means the email should still be accepted but marked or fail, which means emails must be rejected. There’s also neutral, which means emails are expected to be accepted and positive, which means emails must be rejected in general. The latter can be useful if you don’t want any emails originating from your domain name.
An example SPF record
As we now know, an SPF record is just a TXT record with specific contents. But what does it look like?
v=spf1 mx a:sending.example.com ~all
This record could be an example record for example.com, where the TXT record is at the root (@) of the domain. Let’s dissect it!
v=spf1This declares that this is an SPF record.
mxThis states that servers listed in the MX record(s) may send email.
a:sending.example.comThis means that the server behind the A record behind sending.example.com may send emails.
~allThis is a soft-fail declaration. Servers not whitelisted may still send emails but the emails should be marked when arriving.
But there’s so much more and this is just a basic example!
Generating your very own SPF record
Since there are many settings you can fine-tune, it would be overkill to list them all here. Instead, I recommend using a free online-tool to generate the record for you based on your exact needs. You can use a tool like the one found in the external links below.
Remember that the TXT record needs to be made for the sub-domain (or root domain) that is sending the emails. So for “example.com” the TXT record would be for “@” but for “sending.example.com” the TXT record would be for “sending”. But usually you send emails from the root domain, so in most cases you’ll want to specify it for root (@), unless your email will be something like [email protected]