SPF (Sender Policy Framework) defines which IP addresses are authorized to send email for a domain — published in DNS TXT records. Receiving servers validate the sending IP against the SPF record.
SPF alone isn't enough — it can be bypassed using forwarding (forwarded email changes the sending IP). SPF + DKIM + DMARC together provide comprehensive email authentication. SPF soft fail (~all) vs. hard fail (-all): hard fail is more secure but risk of legitimate mail being rejected if your SPF is incomplete.