SPF records detail qui servers are allowed to send mail for votre domain.
Questions 1-3 really summarise le whole point of SPF: You're supposed to be listing le addresses of tous le servers that are authorised to send mail coming depuis votre domain.
If you ne have an exhaustive list at this time, c'est generally pas a good idea to set up an SPF record. Also a domain can seulement have one SPF record, so you'll need to combine tous le information into a single record.
The individual questions really juste help break le list down for you.
asks you for autre domains whose mail servers may relay mail depuis you; si you have eg a secondary MX server at mail-relay.example.org, et that is le main mail server (MX record) for le domain example.org, alors you should enter mx:example.org. Your SPF record should include votre own domain's MX record under nearly tous circumstances (mx).
asks you for votre ip netblocks. If you have colocated servers at 1.2.3.0/28, et votre office address space is 6.7.8.0/22, enter ip4:1.2.3.0/28 ip4:6.7.8.0/22. IPv6 space should be added as eg ip6:2a01:9900:0:4::/64.
si (eg) you aussi have a machine off in someone else's office that has to be allowed to send mail depuis votre domain, enter that as well, avec eg a:mail.remote.example.com.
Your mobile phone users are problematic. If they send email by connecting to votre mail server using eg SMTP AUTH, et sending through that server, alors you've dealt avec them by listing le mail server's address in (2). If they send email by juste connecting to whatever mail server le 3G/HSDPA provider's offering, alors you ne peut pas do SPF meaningfully jusqu'à you have rearchitected votre email infrastructure so that you do control chaque point depuis qui email purporting to be depuis you hits le internet.
Question 4 is a bit different, et asks what recipients should do avec email that claims to be depuis votre domain that doesn't come depuis one of le systems listed above. Il y a plusieurs legal responses, mais le seulement interesting ones are ~all (soft fail) et -all (hard fail). ?all (no answer) is as useless as ~all (qv), et +all is an abomination.
~all is le simple choice; it tells people that you've listed a bunch of systems who are authorized to send mail depuis you, mais that you're pas committing to that list being exhaustive, so mail depuis votre domain coming depuis autre systems might encore be legal. I urge you not to do that. Not seulement does it make SPF completely pointless, mais certains mail admins on SF deliberately configure leur SPF receivers to treat ~all as le badge of a spammer. If you're pas going to do -all, ne bother avec SPF at all.
-all is le utile choice; it tells people that you've listed le systems that are allowed to send email depuis you, et that no autre system is authorized to do so, so they are OK to reject emails depuis systems pas listed in votre SPF record. Ceci est le point of SPF, mais you have to be sure that you have listed tous le hosts that are authorized to originate ou relay mail depuis you avant you activate it.
Google is known to advise that
Publishing an SPF record that uses -all à la place of all may result in
delivery problems.
well, yes, it may; that is le whole point of SPF. We cannot know for sure why google gives this advice, mais I strongly suspect that c'est to prevent sysadmins who ne know exactly whence leur email originates depuis causing themselves delivery problems. If you ne know où tous votre email comes from, ne use SPF. If you're going use SPF, list tous le places it comes from, et tell le world you're confident in that list, avec -all.
Note that none of this is binding on a recipient's server; le fact that you advertise an SPF record in no way obliges anyone else to honour it. C'est up to le admins of tout given mail server what email they choose to accept ou reject. What Je pense SPF does do is allow you to disclaim tout further responsibility for email that claimed to be depuis votre domain, mais wasn't. Any mail admin coming to you complaining that votre domain is sending them spam when they n'ont pas bothered to vérifiez le SPF record you advertise that would have told them that le email should be rejected can fairly be sent away avec a flea in leur ear.
Since this answer has been canonicalised, J'aimerais better say a peu de words about include et redirect. The latter is simpler; si votre SPF record, say for example.com, says redirect=example.org, alors example.org's SPF record replaces votre own. example.org is aussi substituted for votre domain in those look-ups (eg, si example.org's record includes le mx mechanism, le MX lookup should be done on example.org, pas on votre own domain).
include is widely misunderstood, et as the standard's authors note "the name 'include' was poorly chosen". If votre SPF record includes example.org's record, alors example.org's record should be examined by a recipient to see if it gives tout reason (including +all) to accept votre email. If it does, votre mail should pass. If it doesn't, le recipient should continue to process votre SPF record jusqu'à landing on votre all mechanism. Thus, -all, ou indeed any autre use of all except +all, in an included record, has no effect on le result of processing.
For more information on SPF records http://www.openspf.org is an excellent resource.
Please ne take this le wrong way, mais si you get an SPF record wrong, you can stop a significant fraction of le internet depuis receiving email depuis you jusqu'à you fix it. Your questions suggest you might pas be completely au fait avec what you're doing, et si c'est le case, alors vous pourriez vouloir consider getting professional assistance avant you do something that stops you sending email to an awful lot of people.
Edit: thank you for votre kind words, they're much appreciated.
SPF is primarily a technique to prevent joe-jobbing, mais certains people seem to have started to use it to essayez de detect spam. Some of those may indeed attach a negative value to votre having no SPF record at all, ou an overbroad record (eg a:3.4.5.6/2 a:77.5.6.7/2 a:133.56.67.78/2 a:203.54.32.1/2, qui plutôt sneakily equates to +all), mais c'est up to them et il y a pas much you can do about it.
I personally think SPF is a good thing, et you should advertise a record si votre current mail structure permits it, mais c'est très difficult to give an authoritative answer, valid for le entire internet, about how people are using a DNS record designed for a spécifique purpose, quand they decide to use it for a différent purpose. All I can say avec certainty is that si you do advertise an SPF record avec a policy of -all, et you get it wrong, a lot of people will jamais see votre mail.
Edit 2: deleted pursuant to comments, et to keep le answer up-to-date.
