What is an SPF record?

It’s a TXT record. Inside it, you list the mail servers that get to send email for your domain, and that’s basically the whole idea. When a message comes in, the receiving server checks the sender against your list. Doesn’t match? That’s a signal something’s off, maybe spoofed, maybe just misconfigured. SPF won’t stop every forged message on its own, but it cuts down the easy ones.

How to read SPF results

• include shows up when some outside service (think your newsletter platform, or Google) sends mail on your behalf.
• ip4 and ip6 pin down the exact address ranges you trust.
• -all is the strict one. ~all is softer, it flags but doesn’t hard-reject. +all you almost never want, it basically tells the world anyone can send as you.

FAQ

Can a domain have multiple SPF records?

One. You want one. The spec is pretty firm here, and if a domain ends up with two SPF records, a lot of receivers just throw up their hands and treat the result as broken. So merge them into a single line.

Does SPF protect the visible From address?

Not really, and this trips people up constantly. SPF only looks at the envelope sender, the address used during delivery, which isn’t the From line your recipients actually read. To tie the check to that visible From domain, you need DMARC sitting on top. I’d say that’s the single most misunderstood thing about SPF.