An SPF record is a DNS TXT record (like A records and MX records) that indicates to receiving mail servers whether an email has come from a server that is “allowed” to send email from that domain. I.e. it’s a check that should prevent spammers impersonating your domain. It does rely on the receiving server actually doing the check, which not all do, so it’s not by any means fool proof, but it should help prevent mass email from your organisation to customers being flagged as potential spam.
Below is an example SPF record for capitalfmarena.com:
(this is in the public domain – you can look up an organisation’s SPF record by using online SPF checkers)
“v=spf1 ip4:18.104.22.168 mx a:service69.mimecast.com mx a:service70.mimecast.com a:capitalfmarena.com -all”
V=spf1 specifies the type of record this is. (SPF)
Ip4: pass if the IP senders IP address matches the addresses we send mail from.
mx a: pass if sender’s IP matches an ‘MX’ record in the domain
a: pass if Sender’s IP matches an ‘A’ record in the domain
The –all indicates that all other senders fail the spf test. (+all would mean anyone can send mail.)
(~all was used when spf was still being implemented, and is a soft fail, but shouldn’t really be used any longer other than when you’re transitioning between mail hosts or something)
Mechanisms are tested in order and any match will pass the email. A non-match results in a neutral state, until it gets to the end of the string where the –all mechanism will fail it.