When you set up a sender signature in a mail service provider, we recommend you use that mail provider's SPF record as shown below:


v=spf1 a mx include:_spf.google.com ~all


Let’s break down what that means.


First thing to note is the syntax of the SPF record. It’s broken down into the version prefix and one or more mechanisms.


Version

"v=spf1"


Mechanisms

"a mx include:spf.google.com ~all"


The version prefix is pretty simple. 


Since there can be multiple TXT records for a domain, this is the way to let parsers know that this is the record to be used for SPF checking. 


The mechanisms that follow are checked left to right and these specify different rules on how SPF is checked for the domain. The record that most mail providers give you has four mechanisms: “a”, “mx”, “include:_spf.google.com” and “~all”. 


Before we go deeper into mechanisms, Let's explain qualifiers. 


Qualifiers


The mechanisms can also be prefixed with a qualifier which describes the action to take when a sending IP matches the qualifier. The default qualifier is “+”. So the SPF record is the same as:


"v=spf1 a mx include:_spf.google.com ~all"


IS EQUIVALENT TO:


"v=spf1 +a +mx +include:_spf.google.com ~all"


Let’s go over what qualifiers are available.

  • + Pass, an IP that matches a mechanism with this qualifier will pass SPF.
  • - Fail, an IP that matches a mechanism with this qualifier will fail SPF.
  • ~ SoftFail, an IP that matches a mechanism with this qualifier will soft fail SPF, which means that the host should accept the mail, but mark it as an SPF failure.
  • ? Neutral, an IP that matches a mechanism with this qualifier will neither pass or fail SPF.


Mechanisms 


The “a” mechanism


v=spf1 a mx include:_spf.google.com ~all


Let’s say that I send mail from IP 1.2.3.4 for the domain “example.com”. If “example.com” has an A record that returns 1.2.3.4 then this mechanism will pass. 


The “mx” mechanism


v=spf1 a mx include:_spf.google.com ~all


Any domain that hosts email has one or more MX records. These records define which email servers should be used when relaying email. For instance, when using Google Apps you insert several MX records into DNS. By including the “mx” mechanism, it automatically approves these servers and avoids you having to list them individually. This also avoids maintaining the list if they change later. 


The “include” mechanism


v=spf1 a mx include:_spf.google.com ~all


Let’s say that I send mail from IP 1.2.3.4 for the domain “example.com”. If the SPF record for “example.com” includes _spf.google.com and 1.2.3.4 passes against the SPF record for _spf.google.com then this mechanism will pass. 


The “all” mechanism


v=spf1 a mx include:_spf.google.com ~all


The all mechanism will match against everything and in this case the result will be a SoftFail for everything that gets to this point.