SPF is an abbreviation for Sender Policy Framework; previously it was an abbreviation for Sender Permitted From (which personally I think makes it easier to visualise what it means).
The basic tenet of SPF is this: say you have some some domain (e.g. example.com) from which you send email. Email sent from example.com should only ever come from your outgoing email server, or maybe that of your ISP. Therefore, you publish an SPF record which says as much (e.g. effectively your SPF record might say "example.com's mail should only ever come from mail.example.com or from mail.powernet.co.uk").
When someone out there on the Internet receives mail claiming to be from example.com, they look up your SPF record to find out what IP addresses are allowed to send mail claiming to be from example.com. They then compare this to the IP address actually sending them the mail. If the IP address isn't listed in the SPF record, they may (for example) choose to reject the email.
Before using SPF however, please be aware of the following:
Publishing SPF records is only any use if other people's mail servers check SPF records when they receive mail, and most servers currently don't check SPF records.
SPF and email forwarding (relay) services don't sit well together. For example, consider what happens when you send mail from example.com to company-a.com, which then has a forwarding rule which sends the mail on to company-b.com. If company B checks for SPF records, then company B may reject your mail, because it originated from company A's mail server, not from yours (and therefore it failed the SPF check).
One solution to this is for company A (and in general any mail server which performs mail forwarding) to use the Sender Rewriting Scheme when forwarding mail. However, most email servers don't use the Sender Rewriting Scheme when forwarding mail.
- Or, company B should mark company A as a "trusted forwarder", and not reject mail from them just because it's failed the SPF test. Of course, this depends on company B knowing that company A is doing the forwarding.