We need to create a new subdomain `outgoing.fripost.org` which A and AAAA records point to machines currently serving as outgoing SMTP servers. Then we would add the following records to the DNS zone ([RFC 4408 section 3.1.1](https://tools.ietf.org/html/rfc4408#section-3.1.1) recommends both SPF and TXT records, with identical content.): outgoing.fripost.org IN SPF "v=spf1 a ~all" outgoing.fripost.org IN TXT "v=spf1 a ~all" fripost.org IN SPF "v=spf1 redirect=outgoing.fripost.org" fripost.org IN TXT "v=spf1 redirect=outgoing.fripost.org" That essentially means whenever someone receives a message from a `@fripost.org` address, we can say the address hasn't been spoofed (or been spoofed by another fripost member) if the message was originating from `outgoing.fripost.org` (i.e., was sent from the webmail, the Mail Submission Agent, or was the target of an alias or subscribed on a list). Otherwise, things are like there wasn't an SPF policy. With that information at hand, the recipient may decide to classify the message as SPAM or HAM for instance. If we were to disallow (we probably aren't) messages from `@fripost.org` addresses to be sent from anything else than what `outgoing.fripost.org` points to, we could replace the trailing `~all` (softfail) by `-all` (fail). Having an SPF policy for Fripost is also useful for domains using fripost.org as MX:es. For instance, to allow `@example.org` messages to be sent from either `fripost.org`'s outgoing machines (without knowing what they are a priori, therefore the SPF policy is copied) or `example.org`'s A/AAAA records, but nothing else: example.org IN SPF "v=spf1 ?include:fripost.org a -all" example.org IN TXT "v=spf1 ?include:fripost.org a -all" Hopefully one day we'll have DNSSEC, defeating DNS-spoofing. The the [qualifier](https://tools.ietf.org/html/rfc4408#section-5.2) could be changed to something tighter: example.org IN SPF "v=spf1 include:fripost.org a -all" example.org IN TXT "v=spf1 include:fripost.org a -all" Here too the default action `-all` (fail) could be replaced by `~all` (softfail) to allow mails from `@example.org` addresses to be sent from other locations, but without asserting they aren't spoofed in that case. If `example.org`'s has no A/AAAA records, or if the machine they point to are not supposed to relay mails to the outside, one may prefer to merely copy our policy: example.org IN SPF "v=spf1 redirect=outgoing.fripost.org" example.org IN TXT "v=spf1 redirect=outgoing.fripost.org" References: RFCs [4408](https://tools.ietf.org/html/rfc4408) and [6652](https://tools.ietf.org/html/rfc6652); See also the [Wikipedia page](https://en.wikipedia.org/wiki/Sender_Policy_Framework). [[closed]]