We're in an early-adoption stage right now: we need lots of domains to publish SPF records so we can test client libraries against them. Please join the mailing list and say which domains you've published SPF for!

It is natural to worry that setting up these records might somehow cause other people to refuse your mail. If this is a concern, set "~all" which means default softfail. Then violations will not be rejected; they will be accepted.

Step 1: Publish SPF records.

Publish SPF records for your domain. You can do this today on an experimental basis. The specification has been frozen but you should still subscribe to the announce list below in case major news breaks.

Step 2: Enable SASL SMTP

For most MTAs, getting SASL working takes about an hour and a half. You may need to recompile or reconfigure. But once you have it, your users will be able to send outgoing mail through your servers even if they're on the road. Encourage them to use it. You should support SASL on ports 25 and 587.

After most of your users have switched to SASL, set a local sunrise date on which you will change softfail (~all) to fail (-all).

If you have a vanity domain with a very small userbase, you can skip the softfail step entirely.

You should enable port 587 so your roaming users can inject messages even when their hotel is blocking port 25.

You should also consider rate limiting outbound mail through your ISP's servers so they don't unwittingly become a spam relay. Spam viruses will compromise an entire end-user machine and may send mail through your servers instead of directly.

Step 3: Subscribe to one of the SPF lists to stay up to date.

You will need to reply to a confirmation email.