Summary
While directly including IP addresses in SPF records is permissible and doesn't consume DNS lookup slots, it's generally advised against for larger setups. The 'include:' mechanism is favored for its scalability, ease of maintenance (especially with third-party services), and avoidance of exceeding the SPF's 10 DNS lookup limit. Techniques like SPF flattening and CIDR notation can also help manage IP addresses effectively. Understanding the intent behind authorizing specific IPs, and ensuring ESPs use dedicated subdomains for SPF are also vital. For long term maintainability consider moving to using include or domains that dynamically update IP addresses, rather than static IP addresses.
Key findings
- IPs Don't Use Lookups: Directly listing IPs in SPF doesn't consume DNS lookup slots.
- Include for Scalability: 'Include:' mechanism offers better scalability than listing individual IPs.
- Easy Maintenance with Includes: 'Include:' simplifies maintenance, especially for third-party services.
- DNS Lookup Limit: SPF records have a 10 DNS lookup limit, a constraint when listing numerous IPs.
- Dynamic IPs: Domains that dynamically update IP addresses are easier to maintain.
Key considerations
- Scale: Direct listing acceptable only at smaller scale, 'include:' better as you grow.
- 3rd Party IPs: Use includes to delegate IP updates to third parties.
- The Intent: Clarify the need to authorize IPs directly rather than using MX records.
- SPF record Subdomains: Ensure that marketing ESPs should be sending from a dedicated SPF subdomain
- SPF Flattening: SPF flattening as a method to remove the DNS lookup limits
What email marketers say
8 marketer opinions
The consensus among email marketers is that directly using IP addresses in SPF records is acceptable for small setups but not scalable for larger organizations. Listing numerous IP addresses can lead to exceeding the SPF record's 10 DNS lookup limit and increased maintenance overhead. The 'include:' mechanism, which references the SPF records of other domains, is generally recommended for third-party services due to its scalability and ease of maintenance. SPF flattening is also an option to reduce DNS lookups. Determining the intent behind using IP addresses is important. It is best practice to use dynamically updating IP addresses rather than static IP addresses where possible. CIDR notation should be considered to reduce number of entries in the SPF record.
Key opinions
- Scalability: 'Include:' mechanism scales better than listing individual IP addresses.
- Maintenance: 'Include:' simplifies maintenance, especially for third-party services.
- DNS Lookup Limit: SPF records have a 10 DNS lookup limit, which can be exceeded by listing too many IP addresses.
- SPF Flattening: SPF flattening can reduce DNS lookups.
- CIDR Notation: Using CIDR notation can reduce the number of IP address entries.
Key considerations
- Organization Size: Direct IP listing may be suitable for small organizations, but 'include:' is preferred for larger setups.
- Third-Party Services: Use 'include:' for third-party services to avoid manual updates when their IP addresses change.
- Maintenance Overhead: Consider the maintenance overhead of managing IP addresses directly in the SPF record.
- Intent: Determine the intent behind using IP addresses; MX servers are often for inbound mail, not outbound.
- Dynamic IP Addresses: Consider using systems which dynamically update IP addresses rather than static.
Marketer view
Email marketer from Reddit suggests limiting the number of IP addresses listed directly in your SPF record and using CIDR notation where appropriate to reduce the number of entries and avoid exceeding lookup limits.
4 Dec 2021 - Reddit
Marketer view
Email marketer from Stack Overflow explains that using 'include:' mechanisms is better for scalability and maintainability. If a third-party service changes their IP addresses, you don't need to update your SPF record, as their 'include:' record will reflect the changes.
29 Jun 2022 - Stack Overflow
What the experts say
4 expert opinions
Experts generally agree that directly including IP addresses in SPF records is acceptable, and can be useful in some situations. However, it's best practice to limit the amount of IP addresses directly, and instead use the 'include:' statement for a domain that lists the addresses, especially when dealing with a large number of IPs. Also, marketing mail through an ESP should have its own subdomain for SPF. Migrating to systems that dynamically update IP addresses is easier than manually maintaining fixed IP addresses.
Key opinions
- IPs are Normal: Using IPs in SPF records is normal and doesn't use a DNS lookup slot.
- Subdomains for ESPs: Marketing mail through an ESP should have its own subdomain for SPF.
- Include for Many IPs: Use 'include:' statements for domains listing IPs when you have more than a handful.
- Dynamic IPs Preferred: Migrate to systems that dynamically update IP addresses for easier maintenance.
Key considerations
- Number of IPs: Consider the number of IP addresses being used; 'include:' is better for larger numbers.
- Maintenance: Factor in the maintenance overhead of fixed IP addresses versus dynamic or 'include:'.
- Marketing Mail: Ensure marketing emails sent through ESPs use a dedicated subdomain for SPF.
Expert view
Expert from Email Geeks explains that any marketing mail through an ESP should have its own subdomain for SPF even if the 5322.from is the bare domain.
10 Aug 2023 - Email Geeks
Expert view
Expert from Word to the Wise answers that if you have more than a handful of IP addresses, it’s generally better to use an 'include:' statement for a domain that lists the addresses, rather than listing them directly as SPF records have limits.
17 Feb 2024 - Word to the Wise
What the documentation says
3 technical articles
Documentation from Google, Microsoft, and DMARC.org highlights the importance of using IP addresses sparingly in SPF records due to DNS lookup limits. While directly specifying IPv4 and IPv6 addresses is possible, using the 'include:' mechanism for domain names is generally recommended for better flexibility and to avoid exceeding the 10 DNS lookup limit.
Key findings
- IP Mechanisms: ip4: and ip6: mechanisms authorize specific IPv4 and IPv6 addresses.
- DNS Lookup Limit: SPF records have a 10 DNS lookup limit.
- Include Mechanism: 'include:' mechanism is preferred for flexibility and to avoid exceeding lookup limits.
Key considerations
- Spares Use: Use IP addresses sparingly in SPF records.
- Flexibility: Consider the flexibility offered by using the 'include:' mechanism.
- Lookup Limits: Ensure SPF records stay within the 10 DNS lookup limit.
Technical article
Documentation from Google Workspace Admin Help explains that the ip4: and ip6: mechanisms specify authorized IPv4 and IPv6 addresses. These mechanisms should be used sparingly and carefully due to SPF's DNS lookup limits.
15 Nov 2024 - Google Workspace Admin Help
Technical article
Documentation from Microsoft Learn shares that while using IP addresses directly in SPF records is possible, it's generally better to use 'include:' mechanism referring to domain names instead as it provides more flexibility and avoids exceeding the SPF record's lookup limits, also noting the 10 DNS lookup limit.
22 Jun 2023 - Microsoft Learn
How can I optimize my SPF record to stay within the lookup limit when using multiple email sending services?
How do I fix an SPF fail when using Hover and Netlify?
How do I properly set up SPF and DKIM records for email marketing, including handling multiple SPF records, IP ranges, bounce capturing, and Google Postmaster Tools verification?
How do I set up an SPF record when using multiple email sending services?
How should I combine SPF records and what domain should I use with SendinBlue?
