What SPF mechanism allows for IP addresses?

Sender Policy Framework, or SPF, is a fundamental email authentication standard. It's designed to prevent email spoofing by allowing domain owners to create a public list of the specific IP addresses authorized to send email on their behalf. When a mail server receives an email, it checks the sending IP address against the domain's SPF record in the DNS. If the IP is on the list, the email passes the check; if not, it can be marked as suspicious or rejected.

Mailchimp says:

Visit website

IP address verification: An SPF record is essentially a published list of IP addresses authorized to send emails on behalf of your domain, giving clear guidance to receiving mail servers.

The core of an SPF record is built from "mechanisms". These are the specific terms that define the authorized senders. Several of these mechanisms deal directly or indirectly with IP addresses.

Suped DMARC monitor

Free forever, no credit card required

Get started for free

Trusted by teams securing millions of inboxes

The most straightforward way to authorize an IP address in an SPF record is by using the ip4 and ip6 mechanisms. These are used to specify individual IP addresses or entire network ranges.

• The ip4 mechanism: This explicitly authorizes a specific IPv4 address or a range of addresses. For example, ip4:203.0.113.5 authorizes a single IP. You can also specify a range using CIDR notation, such as ip4:203.0.113.0/24, which authorizes all IPs from 203.0.113.0 to 203.0.113.255.
• The ip6 mechanism: This works just like ip4, but for 128-bit IPv6 addresses. An example would be ip6:2001:db8::8a2e:370:7334.

AutoSPF says:

Visit website

The 'ip4' mechanism is used to explicitly authorize an IPv4 address (or range) to send emails on behalf of your domain.

Sometimes you don't want to hard-code IP addresses into your SPF record. For instance, the IP address of your mail server might change. This is where the a and mx mechanisms become very useful. They work by looking up other DNS records for your domain.

DuoCircle says:

Visit website

The a mechanism allows sender authorization based on A records (which maps a domain name to an IP address), whereas mx verifies the sending server against the domain's MX records.

The a mechanism

This mechanism authorizes any IP address found in the A or AAAA records for your domain. If your website is hosted at 203.0.113.10, and you also send email from that server, you can simply add a to your SPF record. The receiving server will look up the A record for your domain and check if the sending IP matches.

The mx mechanism

Similarly, the mx mechanism authorizes the servers responsible for receiving your email to also send email. It checks the MX records for your domain, finds the IP addresses of those mail servers, and allows them to send. This is common for organizations that use the same servers for both incoming and outgoing mail.

The include mechanism is a bit different. It doesn't authorize an IP directly. Instead, it delegates the check to another domain's SPF record. When a receiving server sees include:thirdparty.com, it will then go and look up the SPF record for thirdparty.com and use its mechanisms. This is how you authorize third-party services like email marketing platforms to send on your behalf. Their SPF record will contain the specific ip4 or ip6 mechanisms needed for their sending infrastructure.

In summary, while ip4 and ip6 are for specifying exact IP addresses, the a, mx, and include mechanisms provide flexible and powerful ways to manage your authorized sending IPs without having to list every single one manually.