tcpserver Global Vars:
 control/spfaction   Type of action to take based on SPF result
 control/spftarpit   Enable/Disable tarpitting
 control/spftarpittime   How long to tarpit for
 control/spfexplainstate   Enable/Disable 'SPF Explanations'
 control/spfexplanation   SPF Explanation to use
 control/spftrustedstate   Enable/Disable 'Trusted Forwarder' mode
 control/spftrustedforwarder   SPF Query to use during Trusted Forwarder mode
 control/spfguesstate   Enable/Disable 'Best Guess' support
 control/spfbestguess   SPF Query to use during Best Guess mode
 control/spfheaderstate   Enable/Disable 'Received-SPF:' header tagging
 control/spfdebugstate   Enable/Disable libSPF debug logging (/var/log/spf.log)

spfaction
Description: Define how to react to various SPF results

Contents: Inside this file place a single digit between 0 and 7.

Type: Integer
Default: 1 (enabled)

Below describes the behaviour of these digits:

0: disabled
1: enabled (only prepends headers, and only if spfheaderstate == 1)
2: REJECT: fail; ACCEPT: pass, none, softfail, error, netural, unknown;
3: REJECT: fail, softfail; ACCEPT: pass, none, error, netural, unknown;
4: REJECT: fail, softfail, neutral; ACCEPT: pass, none, error, unknown;
5: REJECT: fail, softfail, neutral, none; ACCEPT: pass, error, unknown;
6: REJECT: fail, softfail, neutral, none, error; ACCEPT: pass, unknown;
7: REJECT: fail, softfail, neutral, none, error, unknown; ACCEPT: pass;

Default: 1 (enabled)
Running higher than 2 or 3 will definitely result in a loss of email. Consult the Adoption role at http://spftools.net and see the number of SPF records that are parsed incorrectly, so be careful.

spftarpit
Description:  Tarpit or 'latch-on' to a client you don't like

0 (default) = disable tarpitting
1 (enabled) = enable tarpitting

Type: Integer (time in seconds)
Default: 0 (off)

Tarpitting happens based on the above set spfaction. If the action was set to 2, then upon a softfail the process would sleep x seconds and then call quit (where x is the value of spftarpittime or the default 60)

Default: 0 (off)
I suggest you use this with caution, perhaps only enabling it on FAIL which is something that can only happen when an SPF rule is supplied, and some how the connecting client violates the policy. You have been warned. This could quite EASILY LEAD TO YOUR SERVER BEING DOSSED BY SOME TURD. DO NOT BLAME ME, DEFAULT IS OFF. CONSIDER YOUR SELF WARNED.

spftarpittime
Description:  How long to tarpit a client
Type: Integer (time in seconds)

Default: 60 (seconds)
Not too short, or its pointless, but not too long or you'll be clientless

spfexplainstate
Description:  Enable or Disable giving of 'SPF Explanations'

Type: Integer
Default: 0 (off)

When set to 1, explanations will be automatically printed out after any SPF query excluding SPF_PASS. This information is designed to be informative and helpful to a user who has just likely had his or her email rejected. See the above 'spfexplain' to define your own string to use instead. The default value exists within libSPF, so creating the control file is only necessary if you wish to change this value.

Default: 0 (off)
When set to 0, explanations are not appended.

spfexplanation
Description:  Explanation to provide client in any event result but SPF_PASS

Type: String

This string (can include macros) is expanded and sent to the client for every result case excluding pass. The default value exists within libspf, so creating the control file is only necessary if you wish to change this value.

Default: See http://spf.pobox.com/why.html?sender=%{S}&ip=%{I}&receiver=%{xR}
When set to 0, explanations are not appended.

spftrustedstate
Description:  Enable or Disable SPF Trusted Forwarder mode

Type: Integer

When set to 1, libspf will attempt to contact the site contained within that text, which would be ideally a whitelisting site (anything can really go there, but this particular file is here specifically to handle larger whitelisting services) that would be contacted in the event an SPF query returns NONE. The default value exists within libspf, so creating the control file is only necessary if you wish to change this value.

Default: 0 (off)
This is a great way to get around any hosts who refuse to publish! Simply publish for them in your own local DNS server, or you can make use of the the real "Trusted Forwarder" service which has many well known "non-SPF-publishing" sites already. http://trusted-forwarder.org

spftrustedforwarder
Description:  Define your Trusted Forwarder SPF Query

Type: String

This string (can include macros) is expanded and is used in the event that a connecting client's query results in NONE (no SPF record published). libSPF will then (if enabled) attempt to contact trusted-forwarder.org (default) which is a global whitelisting system. You can add additional sites, or provide your own. The default value exists withinlibSPF, so creating the control file is only necessary if you wish to change this value

Default: v=spf1 include:spf.trusted-forwarder.org
Its VERY important that this string end with a SPACE at the end! Failure to do so will likely result in parse failures.

spfguessstate
Description:  Enable or Disable SPF Best Guess mode

Type: Integer

When an SPF query fails, and then subsequently a trusted forwarder query possibly fails, libspf will attempt to perform a "best guess" query using a default string which can be redefined using the 'spfguess' control file. The default value exists within libspf, so creating the control file is only necessary if you wish to change this value.

Default: 0 (off)

spfbestguess
Description:  Define your Best Guess SPF Query

Type: String

This query is looked up in an attempt to make a guess against the user in the event no record is found and the trusted forwarder lookup fails. The default value exists within libspf, so creating the control file is only necessary if you wish to change this value.

Default: v=spf1 a/24 mx/24 ptr
Its VERY important that this string end with a SPACE at the end! Failure to do so will likely result in parse failures.

spfheaderstate
Description:  Enable or Disable Received-SPF: header prepending

Type: Integer

When set to 1, libspf will pre-pend "Received-SPF:" headers as per the SPF RFC Internet Draft. This are useful for third party applications such as SpamAssassin, and even email clients capable of parsing headers to know where to filter email to.

Default: 1 (on)
You should leave this ON. Failure to pre-pend Received-SPF: headers will nullify any possible benefit had through 3rd party Anti-Spam implementations such as SpamAssassin which will look at headers and evaluate them based on their content. It should be noted however, that SpamAssassin (unless someone intentionally does this) will only consider FAIL messages, because to do otherwise would be stupid. Spammers would simply tag their own messages with Received-SPF: pass messages :-)

spfdebugstate
Description:  Enable or Disable libSPF debugging

Type: Integer

When set to anything above 0 this will enable debugging in libSPF (provided that when you configured libSPF you supplied --enable-debug). To learn more about how debugging works in libSPF please read the "Debugging libSPF" PDF or TXT that accompanied your distribution or see the on-line version at: http://libspf.org/debugging_libspf.html.

Default: 0 (off)
It should be noted that Autoconf enables _SPF_DEBUG_LOGFILE by default, and the only way to disable this (to get deubgging to show up on STDOUT) is to manually edit the Makefile and comment out or remove the _SPF_DEBUG_LOGFILE macro leaving only _SPF_DEBUG.