Each SPF record begins with a version number; the current SPF version with "v = spf1 ".
It follows any number of expressions, which are evaluated in the order from front to back. Most terms are so-called directivesthat define the sender's authorization, and consist of an optional qualifier and a so-called mechanism that yields either a hit or no hit for a given situation (IP address). The first mechanism that represents a hit determines the result of the entire valuation of the SPF record.
|+||Pass||the directive defines authorized transmitter; |
this is the standard, i.e. if no qualifier is specified, + is assumed
|-||Fail||the directive defines unauthorized senders|
|~||SoftFail||the directive defines unauthorized senders, but the recipient should treat this failure generously;
this qualifier is for testing purposes
|?||Neutral||the directive defines channels whose legitimacy is not to be stated; The transmitter must be accepted.|
|Mech.||Directive applies if -|
|a||an A (or AAAA) record of the polled (or explicitly specified) domain contains the IP address of the sender|
|mx||an MX record of the polled (or explicitly specified) domain contains the IP address of the sender|
|ip4||the specified IPv4 address is the IP address of the sender or the specified IPv4 subnet contains it|
|include||an additional SPF request for the domain specified in the include statement contains the IP address of the sender|
For an overview of all allowed terms, see the SPF Mechanisms subpage of the SPF website.
$ host -t TXT gmx.de gmx.de text "v=spf1 ip4:184.108.40.206/23 -all"
The company GMX determines that all servers in the network area from 220.127.116.11 to 18.104.22.168 may send e-mails from the domain gmx.de. All other servers are not authorized to use this domain in the envelope sender address under this SPF record.