Publishing SPF records

The Sender Policy Framework (SPF) is used today by many mail servers or SPAM filters to determine if an email sent as originating from user@example.net really originates from example.net or if it was highjacked by a spammer. An SPF-enabled receiving mail server checks both, the fully qualified domain name (FQDN) as specified in the HELO or EHLO announce message sent by the mail client, and the domain of the envelop email address (MAIL FROM) against the SPF record(s) stored in DNS for that domain.

Note that the original website www.openspf.org is gone. Read more about this issue here.

Example

As an example, I own two domains, ntecs.de and michaelonroad.de. I run a SMTP server on the domain mail.ntecs.de. As such, I need two SPF DNS records for domain ntecs.de:

# DNS zone for domain ntecs.de
@ IN TXT "v=spf1 mx -all"
mail IN TXT "v=spf1 a -all"

The first line tells the SPF enabled mail server that all email in the form of user@ntecs.de MUST exclusively be sent by one of the servers listed as a Mail Exchange (MX) record of the same domain. The MX record resolves to an IP address which is then checked against the IP address of the connection. The second line is used to check against the EHLO (or HELO) announcement. For example my SMTP server announces itself with a EHLO mail.ntecs.de. Only the IP address of the mail.ntecs.de server is accepted here in this case (or more specifically the IP address it’s A record resolves to).

For my second domain michaelonroad.de I would only need one SPF record:

# DNS zone for domain michaelonroad.de
@ IN TXT "v=spf1 mx -all"

This is because I use mail.ntecs.de even for sending mail from user@michaelonroad.de. Also note that in my case I only run one server for both incoming and outgoing mail (for all domains).