Note: Please get on the mailing list to stay abreast of updates.
Let's pretend that my domain name is:
of my users still "forge" their own address in outbound mail, through an SMTP server I do not control.
Pick a default.
SPF domains have to publish at least two directives: a version identifier and a default mechanism.
example.net. TXT "v=spf1 -all"
This is the simplest possible SPF record: it means your domain example.net never sends mail.
It makes sense to do this when a domain is only used for web services and doesn't do email.
But most domains will want to designate permitted hosts using one or more mechanisms.
If your MX servers send mail, designate them.
example.net. TXT "v=spf1 mx -all"
If example.net had an MX record, its MX servers would be designated. But it doesn't have any MX servers.
If other machines in the domain also send mail, designate them.
example.net. TXT "v=spf1 mx ptr -all"
This designates all the hosts whose PTR hostname match example.net.
If any other machines not in the domain also send mail from that domain, designate them.
example.net. TXT "v=spf1 a:example.net mx ptr -all"
example.net's IP address doesn't show up in its list of MX servers. So we add an "a" mechanism to the directive set to match it.
example.net. TXT "v=spf1 a mx ptr -all"
This is shorthand for the same thing.
Each of your mail servers should have an SPF record also.
When your mail servers create a bounce message, they will send it using a blank envelope sender: <>. When an SPF MTA sees a blank envelope sender, it will perform the lookup using the HELO domain name instead. These records take care of that scenario.
Consider creating an SPF record for every other machine in your domain.
Spammers can forge hostnames as well as domain names: to SMTP there is no difference between the two. If they start forging the hostnames of web servers, unix servers, even workstations, you'll want to create SPF records for those machines also.
If you send mail through another organization's servers, you should use an Include directive to point to their servers. If they do not have SPF records, maybe they don't know about SPF. Tell them about it!
(optional) use Include records to share these hosts
If other domains use exactly the same set of hosts, you can set up redirects for them. "Redirect" aliases point to other domains which themselves publish SPF records. This aliasing mechanism makes it possible to easily consolidate multiple domains that share the same set of designated hosts.
That's it. You're done.
Note: The above examples are good for a simple case, but do read the Mechanisms page or the SPF draft RFC to see how to configure complex cases. You can have multiple includes for a given domain.
Once you've set up records, try them out.