Many people setup SPF Records without fully understanding the implications of doing so.
Let's say your email address is johndoe@abc.com and you want to send an email to your client janedoe@123.com.
When you click send, your email connects to an email server with IP address 1.1.1.1, which delivers your message to an email server with IP address 1.2.2.1.
A bad guy creates an email address identical to yours johndoe@abc.com on another email service, he sends a scam email to your client janedoe@123.com, she gets the message and it appears as if it came directly from you. However, the scammer sent the email out of his own email server with IP address 1.3.3.1.
How do you stop this from happening?
The technology is called Sender Policy Framework (SPF).
It's very simple to setup, all you need to do is publish a text record in your DNS settings like this:
"v=spf1 ip4:1.1.1.1 -all"
What this tells email servers that receive email from your domain name abc.com, that it should only accept email from your email server with IP address 1.1.1.1.
The -all syntax at the end tells email servers to reject all emails if it does not come from IP address 1.1.1.1.
Sounds like an easy solution right? Well yes and no.
This only works if the receiving email server complies with SPF requests. In the scenario above, the email server for janedoe@123.com would have seen that the scam message came from IP address 1.3.3.1 and would have honored the SPF record for abc.com to reject that message.
The most common mistake John Doe will make is use 3rd party accounting services (IP 1.4.3.4), email marketing services (IP 2.2.2.1), CRM software (IP 4.3.3.3), EHR/EMR systems (IP 45.4.2.1), Calendar services (IP 47.3.4.1), etc. that also send out emails on behalf jdoe@abc.com.
The problem is each of those systems send out of their own email servers, each with a different IP address.
If you don't list each of those IP addresses in your SPF record, mail servers around the world will reject those emails.
This is commonly known as an SPF Rejection.
So how do you fix it?
You need to add all the IP addresses of the systems you use to your SPF record like this:
"v=spf1 ip4:1.1.1.1 ip4:1.4.3.4 ip4:2.2.2.1 ip4:4.3.3.3 ip4:45.4.2.1 ip4:47.3.4.1 -all"
EnGuard complies with all SPF requests and will reject messages that do not come from an IP address listed in the sending domain name's SPF record.