Most domains send outbound mail through a relatively small number of servers. Domains should describe that set of servers in an SPF record in their DNS. Internet email receivers can then reject forged messages which don't come from an envelope sender domain's approved servers. This wizard helps domain owners identify all the servers which could be expected to send mail from their domain.

mydomain.com's IP addresses are 66.150.120.131, 64.14.143.57. Do those servers send mail from mydomain.com?		yes no
mydomain.com has one MX server, mx.mailix.net. It receives mail for mydomain.com. Does it also send mail from mydomain.com?		yes no
Do you want to just approve any host whose name ends in mydomain.com? (Expensive, unreliable and not recommended)		yes no
Do any other servers send mail from mydomain.com? You can describe them by giving "arguments" to the a:, mx:, ip4:, and ptr: mechanisms. mx: takes domain names and approves all the MX servers of these domains. To keep the wizard short we left out ptr:, but it works analogously.		regular hostnames
		domain names
IP networks can be entered using CIDR notation, eg. 192.0.2.0/24		IP addresses
Could mail from mydomain.com originate through servers belonging to some other domain? If you send mail through your ISP's servers, and the ISP has published an SPF record, name the ISP here.
Do the above lines describe all the hosts that send mail from mydomain.com?		yes no
mydomain.com. IN TXT "v=spf1"

The SPF record:

v=spf1 mx ip4:69.63.211.0/25 ip4:64.85.73.0/25 ip4:70.103.251.0/24 ip4:63.251.171.160/27 ip4:216.34.94.189/32 include:rnmk.com include:custhelp.com -all:86400

can be explained as:

	v=spf1	This identifies the TXT record as an SPF string.
	mx	mydomain.com has one MX server, mx.mailix.net. It is allowed to send mail from mydomain.com. If you add more MX servers in the future, they'll automatically be allowed, too.
	ip4:69.63.211.0/25	Every host in the range 69.63.211.0-69.63.211.127 is allowed to send mail from mydomain.com.
	ip4:64.85.73.0/25	Every host in the range 64.85.73.0-64.85.73.127 is allowed to send mail from mydomain.com.
	ip4:70.103.251.0/24	Every host in the range 70.103.251.0-70.103.251.255 is allowed to send mail from mydomain.com.
	ip4:63.251.171.160/27	Every host in the range 63.251.171.160-63.251.171.191 is allowed to send mail from mydomain.com.
	ip4:216.34.94.189/32	216.34.94.189 is allowed to send mail from mydomain.com.
	include:rnmk.com	Any server allowed to send mail from rnmk.com is also allowed to send mail from mydomain.com.
	include:custhelp.com	Any server allowed to send mail from custhelp.com is also allowed to send mail from mydomain.com.
	-all:86400	No other servers are allowed to send mail from mydomain.com. This is a good default for sites particularly concerned about forgery.

You need to transfer these records to your DNS server by yourself. No changes can be made by the wizard, it can only provide you with the data that needs to be entered into your DNS server.

mydomain.com. IN TXT "v=spf1 mx ip4:69.63.211.0/25 ip4:64.85.73.0/25 ip4:70.103.251.0/24 ip4:63.251.171.160/27 ip4:216.34.94.189/32 include:rnmk.com include:custhelp.com -all:86400"

'mydomain.com:v=spf1 mx ip4\07269.63.211.0/25 ip4\07264.85.73.0/25 ip4\07270.103.251.0/24 ip4\07263.251.171.160/27 ip4\072216.34.94.189/32 include\072rnmk.com include\072custhelp.com -all\07286400:3600

If you run Windows DNS

Please see these instructions.

More options

If your site requires more complex configuration than this, you should read more about mechanisms. You should also review the tradeoffs involved in choosing an "all" default: see page 15 of the white paper.

You can test some pretend scenarios at one of the DNS tools. MTAs that reject mail because SPF tests failed will link to the why page.