Determine which servers/machines will send emails for your domain to the Internet. It is very common to have only one machine send out-bound emails within your company,
which is usually the email server.
Assume every outbound email goes through your email server. In that case, your SPF record will look like:
v=spf1 mx ~all
Assume you have a third-party company that sends outbound emails on your behalf and their public IP address is
220.127.116.11. In that case, your SPF record will look like:
v=spf1 mx ip4:18.104.22.168/32 ~all
Taking the above examples one step further, assume you have outsourced your HR department to another company that also uses SPF and can send emails on your behalf.
The domain name of that company is friendlyHR.com. In that case, the SPF record will become:
v=spf1 mx ip4:22.214.171.124/32 include:friendlyhr.com ~all
Notice the ending
at the end of each record. This means a SOFTFAIL. An alternative approach is to use a
indicates a FAIL. Receiving server will most likely reject any incoming message that fails an SPF test and see a
in the SPF
record. Further analysis will be performed when a
is used before considering it a forged message.