Sender Policy Framework, or SPF, is a fundamental email authentication standard. At its core, an SPF record is a simple text (TXT) record you add to your domain's DNS settings. This record's job is to specify which mail servers or IP addresses are permitted to send email on behalf of your domain. When an email is received, the recipient's mail server checks the SPF record of the sending domain to see if the IP address of the sending server is on the authorized list. This helps prevent spoofing and phishing attacks.
To build this list of authorized senders, SPF uses a set of instructions called "mechanisms". Several of these mechanisms are used to define the IP addresses of authorized senders, either directly or indirectly.
Direct IP address mechanisms: ip4 and ip6
The most straightforward way to authorize an IP address in an SPF record is by using the ip4 and ip6 mechanisms. As their names suggest, ip4 is used for IPv4 addresses, and ip6 is for IPv6 addresses. You can specify a single IP address or a range of addresses using CIDR notation.
For example, if your mail server sends email from the IP address 192.0.2.1, your SPF record would include ip4:192.0.2.1. This is the most direct and explicit way to grant sending permission to an IP address.
Indirect IP address mechanisms
While ip4 and ip6 are direct, other mechanisms work by looking up IP addresses associated with domain names. This is useful because IP addresses can change, and updating a DNS record is easier than updating every SPF record that references it.
- The 'a' mechanism: This mechanism authorizes the IP address found in the A or AAAA record of the domain itself. If your SPF record includes a, it tells receiving servers to look up the A record for your domain and allow that IP address to send mail. You can also specify a different domain, like a:mail.example.com.
- The 'mx' mechanism: This authorizes the servers that receive email for your domain (defined in your MX records) to also send email for your domain. When a receiving server sees mx in your SPF record, it looks up your domain's MX records, finds the IP addresses of those mail servers, and adds them to the authorized list.
- The 'include' mechanism: This is one of the most powerful and common mechanisms. It doesn't contain IP addresses itself, but instead points to another domain's SPF record. The receiving server then performs a new SPF lookup on the included domain, using its mechanisms to find the authorized IP addresses. This is typically used to authorize third-party services like Google Workspace, Microsoft 365, or marketing email platforms to send mail on your behalf.
Which mechanism should you use?
The choice of mechanism depends entirely on your email infrastructure. If you send email from a server with a static IP address, using ip4 is a good, explicit choice. If your website's server also sends email, the a mechanism is convenient. If you use a third-party email provider, you will almost certainly use the include mechanism, as providers manage their own lists of sending IPs.
Ultimately, every SPF check boils down to a list of IP addresses. The ip4, a, mx, and include mechanisms are all just different ways of compiling that list to give you the flexibility to manage your authorized senders effectively.
What SPF mechanism allows for IP addresses?
What SPF mechanism refers to other SPF records?
Does SPF apply to the 'Return-Path' address?
What SPF mechanism includes the A records of a domain?
What SPF mechanism includes the MX records of a domain?
What SPF mechanism refers to another domain's SPF record?
