SPF

SPF (Sender Policy Framework) is an email-authentication standard. It lets a domain owner publish, in DNS, a list of IPs and providers that are authorized to send mail on the domain's behalf. Receiving servers can then check whether incoming mail came from one of those authorized senders.

Where it lives

SPF is published as a TXT record at the apex of the domain (e.g., example.com). The record starts with v=spf1. Example: v=spf1 include:_spf.google.com -all.

How it's evaluated

When mail arrives, the receiver looks at the envelope-from address, fetches the SPF record for its domain, and checks whether the connecting server's IP matches any of the mechanisms (IPs, includes, MX hosts, etc.). The result is one of: pass, fail, softfail, neutral, or none.

Common pitfalls

SPF has a 10-DNS-lookup limit. Each include: counts. Stacking too many providers (Google + Mailchimp + HubSpot + Salesforce) blows the limit, and SPF stops working entirely.
You can only have one SPF record per domain. Multiple v=spf1 TXT records is a permanent error.
SPF doesn't survive forwarding. If someone forwards mail you sent, the forwarder's IP isn't in your SPF, so SPF fails. DMARC + DKIM are needed to handle that.

Related: DKIM · DMARC · TXT lookup.