How SPF works in plain English
You publish a TXT record at the root of your domain. The record lists every server, IP range, or third-party provider that is allowed to send mail using your domain name. When a receiving mail server gets a message from your domain, it looks up the SPF record and checks whether the actual sending server is on the list. If yes, the message passes SPF. If no, the message fails SPF, and DMARC decides what happens next.
Why SPF matters
Without SPF, anyone can put your domain in the From line of an email and send it from any server. SPF makes that impersonation visible to receiving servers, which is the foundation that DKIM and DMARC build on.
What does an SPF record look like?
An SPF record is a TXT record on your root domain that looks like: v=spf1 include:_spf.senddio.com include:_spf.google.com -all. Each include adds another authorised sender. The -all at the end means "reject anything not on the list".
SPF lookup limit
SPF has a hard limit of 10 DNS lookups per record. If you have many providers, you can exceed it without realising. Senddio uses a flattened include that counts as a single lookup, which keeps you well under the limit even with several other senders.