SPF is the abbreviation for “Sender Policy Framework”. With this method, mail servers can check whether the mail they receive actually originates from the declared host server. This SPF check is carried out fully automatically in the background; as the end user, you will not notice any of this.

In simple terms, the SPF specifies which mail servers are allowed to send mail for the domain . The mail servers are identified by their name or IP address.

Example: A mail from the sender hans.muster@gmx.com may only be sent via one of the following IP addresses: 213.165.64.0, 74.208.5.64, 74.208.122.0, 212.227.126.128, 212.227.15.0, 212.227.17.0, 74.208.4.192, 82.165.159.0, 217.72.207.0 . In the SPF record of the domain gmx.com So these IP addresses are listed. The receiving mail server can now check whether the IP address it reads in the header of the mail is on this list or not.

the List of authorized mail servers is on the name server (DNS) of the sending domain – in our example gmx.com – stored and can be called up there by every receiving mail server.

The SPF record

The SPF record is entered as a DNS record in the domain zone of the responsible DNS (name server) of the domain, namely as a TXT record. The entry contains a list of the IP addresses from which mails from this domain can be sent. There are also other entries, e.g. B. for the mail filter server mentioned above, which a mail has to go through before it finds its way to the recipient. Such “intermediate stations” are often with the include -Instruction entered. Below is an explanation of the most common Parameters of the SPF record :

codemeaning
vVersion of the record; v = SPF1 indicates the currently valid version.
ip4IP address; “IP4” is the name for the well-known form of the IP address. There are also the new IP6 addresses, which are, however, even less common.
-AllesAll other senders not listed here are not authorized and should be rejected.
includeSpecifies other domains whose SPF record should also be retrieved.

In addition to the one listed above -Alles there is also the version with the tilde: ~ all . This indicates that all other senders are not authorized, but should still be accepted. This “soft fail” declaration was originally introduced for test purposes, but is now used by various hosting providers.

Source: https: //www.ionos.de/digitalguide/e-mail/e-mail-sicherheit/was-ist-ein-spf-record/