So after a few people read my last phlog entry, I've been asked to explain 
spf.  I won't try to explain it all about spf, that is for the people at 
openspf.org to do.  I'll try to explain it from my point of view, which is that 
of a guy running his own outbound smtp server and wanting his emails to get 
accepted by all the other smtp servers out there.

I always believe it's good to start by asking "what's it for,"  If it's just a 
thing we are made to do, then nobody wants to do it.  But if we can understand a 
benefit to doing it, well then we may want to do it to chase that benefit!

SPF stands for "Sender Policy Framework."  This means, that this is a way for 
domain-owners to publish their policy on who is a valid sender of email for 
the domain they own. In the old days of email you would just set your from 
address and that was that, it was a no questions asked thing.  But then the 
spammers came along and began setting that from address as part of their 
campaign of fooling people into reading their messages.  So you get an email 
from a friend or a boss or a known coworker or even yourself, and you open it 
only to read a message you didn't want about purchasing some herbal viagra or 
something.  So a way had to be said to say "only these senders can send email 
claiming to be from here."  

Of course, you can see, this breaks some applications of email forwarding.  
Being a butcher by trade, I used to have a forwarder at Jason Scott's domain, 
cow.net.  Specifically, I was "mad at cow dot net."  I even put this in my from 
header, and sent email like that.  My ride ended months later when some spammer 
decided that my cool email address would be the perfect from header for his 
spams, and I began to get all kinds of weird bounces and complaints about his 
spam.  Now with spf, Jason could declare, "only my email server at such-and-such 
mail exchanger is a valid sender of cow.net email and all others should be 
rejected."  Even then, it would have been up to Jason as to wether or not to 
include my smtp server on that authorized list.  I very well could have been 
left out in the cold anyway.  So when it comes to spf, start out by thinking in 
terms of domains you own and what servers can send mail into the internet with a 
from header that refers to a domain you own. 

So, let's look at everybodies first spf record, "v=spf1 +a +mx ~all".  How to 
interpret this?  Well, spf is read from left to right, so we start with 
"v=spf1," which is just a declaration of what this record is, which is an spf 
record written to the standard of version 1."  What follows is a space-seperated 
list of actions and mechanisms.  So in "+a" the plus means "accept email" and 
the a is "the a record of this domain."  So if the domain is "email.domain" and 
it's spf record is "v=spf1 +a -all" this (which is the same as "v=spf1 a -all," 
since the plus can be assumed) means "if you get an email that claims to be from 
email.domain, accept it if the dns lookup for the a record for domain.com is 
where it came from, if that doesn't match, reject all other emails."  This can 
also be said as "v=spf1 +a:email.domain -all".  Changing the end to ~all  means 
"softfail," which means it just gets marked and moved to the spam folder.

How about that "+mx?" You guessed it, the mx record of that domain!  

The other thing you need to know is that you are allowed 10 mechanisms, with 
straight ip address not included.  It is evaluated in order left to right, and 
if you run ever 10 items, the thing fails and is invalid.

So let's look at a real example...
dig gnu.org txt
...snip for brevity...
gnu.org.		300	IN	TXT	"v=spf1 ip4:140.186.70.0/24 
ip4:208.118.235.0/24 ip4:209.51.188.0/24 ip4:46.43.37.64/27 ip4:74.94.156.208/28 
ip6:2001:4830:134::/48 ip6:2001:470:142::/48 ip6:2001:41c8:20:2d3::/64 ~all"

Here we see that gnu.org chose to list ip address ranges as valid email senders.  
Indeed, doing a 
dig gnu.org mx
... snip for brevity...
gnu.org.		300	IN	MX	10 eggs.gnu.org.
shows their mail exchanger is eggs.gnu.org.  That traces to 
64 bytes from eggs.gnu.org (208.118.235.92): icmp_seq=1 ttl=55 time=10.3 ms

and 208.118.235.92 is presumably in ip4:208.118.235.0/24.

Now in my case, I decided to go back to using a shared hosting providors 
servers, so I had to contact them to get their spf record.

v=spf1 +mx +a +include:websitewelcome.com 
+include:unifiedlayer.com ~all

So what's with the mechanism "include?"  Well, that means to use their list as 
well as your own.  It turns out after a few dig commands, that thier list is a 
nested list of other groups of ip addresses.  So remember when I said you have 
10 mechanisms?  Well, if I put the name of my email sending domain at the end of 
their record before the -all, then I do run out of lookups and it never gets 
there.  So to add to that spf record I make my spf record thus "v=spf1 +mx 
+a:machinename.mydomain.tld +include:websitewelcome.com ~all"  This way, the 
contents of my designation are checked first, then what my email providor 
includes next.

The last means I want to mention is a way to check spf email, with an email 
verifier.  The company port25.com, which makes a commercial mta, keeps a 
verifier on the internet.  If you send an email to  
check-auth@verifier.port25.com they will email you back a report as to how your 
record checks out. 

I hope you found this textfile informative!