Domains define zero or more mechanisms. Mechanisms can be used to describe the set of hosts which are designated outbound mailers for the domain.
Domains may also define modifiers. Each modifier can appear only once.
Mechanisms can be prefixed with one of four qualifiers:
If a mechanism results in a hit, its qualifier value is used. The default qualifier is "+", i.e. "Pass". For example:
"v=spf1 -all"
"v=spf1 a -all"
"v=spf1 a mx -all"
"v=spf1 +a +mx -all"
Mechanisms are evaluated in order. If no mechanism or modifier matches, the default result is "Neutral".
If a domain has no SPF record at all, the result is "None". If a domain has a temporary error during DNS processing, you get the result "TempError". If some kind of syntax or evaluation error occurs, the result is "PermError".
| Result | Explanation | Intended Action |
|---|---|---|
| Pass | The SPF record designates the host to be allowed to send | accept |
| Fail | The SPF record has designated the host as NOT being allowed to send | reject |
| SoftFail | The SPF record has designated the host as NOT being allowed to send but is in transition | accept but mark |
| Neutral | The SPF record specifies explicitly that nothing can be said about validity | accept |
| None | The domain does not have an SPF record or the SPF record does not evaluate to a result | accept |
| PermError | A permanent error has occured (eg. badly formatted SPF record) | unspecified |
| TempError | A transient error has occured | accept or reject |
This mechanism always matches. It usually goes at the end of the SPF record.
"v=spf1 mx -all"
Allow domain's MXes to send mail for the domain, prohibit all others.
"v=spf1 -all"
The domain sends no mail at all.
"v=spf1 +all"
The domain owner thinks that SPF is useless and/or doesn't care.
The ip4 mechanism matches if the sender's IPv4 address is in the specified range. If no prefix-length is given, /32 is assumed.
"v=spf1 ip4:192.168.0.1/16 -all"
Allow any IP address between 192.168.0.1 and 192.168.255.255.
"v=spf1 ip4:1.2.3.4 -all"
Allow only 1.2.3.4.
The ip6 mechanism matches if the sender's IPv6 address is in the specified range.
"v=spf1 ip6:1080::8:800:200C:417A/96 -all"
Allow any IPv6 address in the /96 subnet.
All the A records for domain are tested. If the client IP is found among them, this mechanism matches. If connection is over IPv6, AAAA lookup is performed.
"v=spf1 a -all"
The current-domain is used.
"v=spf1 a:example.com -all"
Explicitly list domain.
All the A records for all the MX records for domain are tested. If the client IP is found among them, this mechanism matches.
"v=spf1 mx -all"
Allow domain's MXes.
The hostname(s) for the client IP are looked up using PTR queries. If a valid hostname ends in domain, it matches. Avoid using this due to expensive DNS lookups.
"v=spf1 ptr -all"
Allow all machines in domain.
Perform an A query on the provided domain. If a result is found, it matches.
"v=spf1 exists:example.com -all"
Check if example.com resolves.
The specified domain is searched for a match. If the lookup does not return a match or an error, processing proceeds to the next directive.
"v=spf1 include:example.com -all"
Include example.com policies.
Modifiers are optional. A modifier may appear only once per record. Unknown modifiers are ignored.
The SPF record for domain replaces the current record. Useful for sharing one policy across multiple domains.
If an SMTP receiver rejects a message, it can include an explanation string fetched from a TXT lookup of the specified domain.