To try to understand how SPF works and is set up, let's take a look at an example of a TXT record intended for use with SPF.

easydns-example.com IN TXT "v=spf1 a mx:example.com ip4:23.1.2.3/24 -all"

The section before "IN TXT" indicates what host name the record is for, and IN TXT is the way DNS defines that record as a TXT record. The section following that in quotes is the actual SPF data.

The first section of SPF data is always "v=spf1", called the identifier as it tells the mailserver that this TXT record is for use with SPF. Then follows a series of "mechanisms," which are designators such as "a" or "mx" each seperated by one blank space, which are evaluated as true or false in regard to the sending mailserver.

Each mechanism specifies a range of servers, either in reference to a DNS record or by IP address. In the example above, the first mechanism tells us that the A record for easydns-example.com is a valid host to send email for that domain, the second allows email from the MX record of example.com, and the third specifies a group of servers in the IP block 23.1.2.3/24. How these mechanisms work is to be detailed later in the tutorial.

These mechanisms can be preceded by a character indicating whether the server indicated is valid. If the mechanism is preceded by a "+" or has no character preceding it, a match indicates a "pass," and the server is valid. If it is preceded by a "-" or "~", a match indicates a "fail", and the server is considered invalid. A mechanism can also be preceded with a "?", indicating that it is neutral and is being checked for a reason other than rejecting email, such as for analysis or statistics.

The mechanisms are evaluated in the order they appear in the record, and when a mechanism matches the check stops and returns a pass or fail as indicated by the character preceding the mechanism. The last entry in the SPF data is the default mechanism, which is "all" preceded by "-" or "~". The default, only reached if none of the other mechanisms in the record match, always matches and indicates an invalid server. In effect this means, "anything else is invalid, reject or flag it."