The Sender Policy Framework (SPF) is today used by many mail servers or
SPAM filters to determine if an email sent as originating from
user@example.net really originates from
example.net or if it was highjacked by a spammer. An SPF-enabled
receiving mail server checks both, the fully qualified domain name (FQDN) as
specified in the HELO or EHLO announce message sent by the mail client, and the
domain of the envelop email address (MAIL FROM) against the SPF record(s)
stored in DNS for that domain.
Example
As an example, I own two domains, ntecs.de and
michaelonroad.de. I run a SMTP server on the domain
mail.ntecs.de. As such, I need two SPF DNS records for domain ntecs.de:
# DNS zone for domain ntecs.de @ IN TXT "v=spf1 mx -all" mail IN TXT "v=spf1 a -all"
The first line tells the SPF enabled mail server that all email in the form of
user@ntecs.de MUST exclusively be sent by one of the servers
listed as a Mail Exchange (MX) record of the same domain. The MX record
resolves to an IP address which is then checked against the IP address of the
connection. The second line is used to check against the EHLO (or HELO)
announcement. For example my SMTP server announces itself with a EHLO
mail.ntecs.de. Only the IP address of the mail.ntecs.de
server is accepted here in this case (or more specifically the IP address it's
A record resolves to).
For my second domain michaelonroad.de I would only need one SPF record:
# DNS zone for domain michaelonroad.de @ IN TXT "v=spf1 mx -all"
This is because I use mail.ntecs.de even for sending mail from
user@michaelonroad.de. Also note that in my case I only run
one server for both incoming and outgoing mail (for all domains).