SPF (Sender Policy Framework, RFC 7208) declares which mail servers are allowed to send mail for a domain. Receivers compare the sending IP against the policy; mismatches trigger a fail decision (-all), softfail (~all), or neutral (?all) depending on the trailing mechanism.
The record lives at the domain apex as a TXT record beginning with v=spf1. Common mechanisms: ip4: and ip6: (literal IPs), a and mx (use the domain's A/MX records), include: (delegate to another domain's SPF), and redirect= (replace this evaluation with another domain's policy).
The most common silent failure mode is exceeding the RFC 7208 §4.6.4 limit of 10 DNS lookups during evaluation (counting include, a, mx, ptr, exists, and redirect). Records that exceed the cap produce PERMERROR -- the receiver treats SPF as broken and the policy is ignored entirely. Flatten the include tree by inlining IPs for senders you control.
SPF alone doesn't protect against header-from spoofing (it authenticates the SMTP envelope sender, not the displayed From: address). DMARC closes that gap by requiring SPF or DKIM alignment with the visible From: domain.