What is SPF?
SPF stands for Sender Policy Framework, and is an extension of SMTP that stops e-mail spammers from forging the "From" fields in an e-mail. As SMTP itself does not carry an authenticating mechanism, the SPF extension provides the authentication scheme by specifying which computers are authorized to send email from a specific domain. In order to use SPF, the domain sending e-mails must establish an SPF record that is published in DNS records. When the e-mail passes through the DNS server, it is compared to the SPF record for that domain to determine if the sender is indeed authorized to transmit e-mails from that sender's address. If the e-mail comes from a domain that is not authorized, the DNS server will not forward the e-mail to the expected destination.

SPF is one method that can be used to stop spam from being sent using unauthorized domain names. However, it should be noted that SPF only stops the spammer from forging the "From" field in the e-mail and does not stop the spammer from sending e-mails from a domain in which it is a member.

What is the harm done that SPF tries to prevent?
Today, nearly all abusive e-mail messages carry fake sender addresses. The victims whose addresses are being abused often suffer from the consequences, because their reputation gets diminished and they have to disclaim liability for the abuse, or waste their time sorting out misdirected bounce messages.

You probably have experienced one kind of abuse or another of your e-mail address yourself in the past, e.g. when you received an error message saying that a message allegedly sent by you could not be delivered to the recipient, although you never sent a message to that address.

Sender address forgery is a threat to users and companies alike, and it even undermines the e-mail medium as a whole because it erodes people's confidence in its reliability. That is why your bank never sends you information about your account by e-mail and keeps making a point of that fact.

Who benefits of e-mail abuse where the Sender address is forged?
Spammers want to avoid receiving non-delivery notifications (bounces) to their real addresses.
Fraudsters want to cover their tracks and remain anonymous.
Computer worms want to cause confusion or just do not care about which sender addresses they use.
Phishers (password fishers) want to impersonate well-known, trusted identities in order to steal passwords from users.

What is the solution that SPF offers?
The Sender Policy Framework (SPF) is an open standard specifying a technical method to prevent sender address forgery. More precisely, the current version of SPF - called SPFv1 or SPF Classic - protects the envelope sender address, which is used for the delivery of messages.

Even more precisely, SPFv1 allows the owner of a domain to specify their mail sending policy, e.g. which mail servers they use to send mail from their domain. The technology requires two sides to play together: (1) the domain owner publishes this information in an SPF record in the domain's DNS zone, and when someone else's mail server receives a message claiming to come from that domain, then (2) that receiving server can check whether the message complies with the domain's stated policy. If, e.g., the message comes from an unknown server, it can be considered a fake.

Once you are confident about the authenticity of the sender address, you can finally "take it for real" and attach reputation to it. While IP-address-based reputation systems like Spamhaus or SpamCop have prevailed so far, reputation will increasingly be based on domains and even individual e-mail addresses in the future, too. Furthermore, additional kinds of policies are planned for a future version of SPF, such as asserting that all of a domain's outgoing mail is S/MIME or PGP signed.

How do I enable the SPF protection?
First off, you should choose the exact domain name you wish to protect with SPF records. Note that all the e-mail addresses created for that domain name will be secured with the rules you specify.

Once you have chosen the domain name, select the ON option to enable the SPF protection. Then you can specify only one setting or a combination of the following:

 

Hosts	Fill in a list with all the hostnames, which are authorized to send mail for the chosen domain name , e.g. my-best-domain.com, mail.smtp-server.com. Separate hostnames with space, comma or semicolon.
IPv4	Type the IP address of your SMTP mail server, e.g. 192.168.1.19
IPv6	Type the IPv6 address of your SMTP mail server, e.g. 2001:0db8:2003:1::95
Allow all hosts (hazardous!)	This setting actually sets no restriction and allows all hosts to send mail on behalf of your domain name. Use it only when solving server accessibility issues!
Allow my domain name's MX records	Only the MX records stored for your domain name in the DNS zone will be able to send mail on behalf of your domain name.
Allow hosts with correct reverse DNS resolution	Only hosts with a correct reverse DNS resolution will be allowed to send mail on behalf of your domain name.