The SPF DNS method employs a list of 8 mechanisms that differentiate authorized email senders from unauthorized ones.
all: This mechanism is at the end of the SPF record and matches all the senders.
ip4: This mechanism allows IP addresses of the IPv4 network range of a pre-specified list to send emails using a given domain name.
ip6: This mechanism is similar to ip4 but works on the IPv6 network range.
a: When this mechanism is used, the IP address should strictly match the SPF DNS record unless a prefix length is provided. When the prefix length is provided, the system searches all the IP addresses for that prefix length.
mx: In the case of this mechanism, the entire list of records is tested in the order of specified priority.
ptr: The hostnames are validated using PTR queries. The invalid hostnames are rejected, while the valid ones are matched.
exists: This mechanism utilizes an A query based on which the existing IP addresses are validated and approved.
include: This mechanism searches the domain for a match. If a match is not found, it forwards the list for further processing.
Each of the mechanisms can use any one of the four qualifiers:
+ (Pass)
The Pass qualifiers list the domain-authorized email sender.
– (Fail)
The Fail qualifier lists the unauthorized senders.
~ (SoftFail)
The SoftFail qualifier gives the list of the in-transition unauthorized senders.
? (Neutral)
The Neutral qualifier is used to mark the questionable senders.
While the DNS processing is ongoing, a temporary error may be represented by the qualifier’ TempError.’ In contrast, a syntax or evaluation error is notified by ‘PermError.’ In the cases where the domain has not created the record yet, the qualifier ‘None‘ is observed.