What is the primary SPF mechanism for a specific IP address?

The primary SPF mechanisms for directly authorizing a specific IP address are ip4 for IPv4 addresses and ip6 for IPv6 addresses. You can specify single IPs or CIDR ranges using these mechanisms.

Can I use 'include' for an IP address?

The include mechanism is used to refer to another domain's SPF record, not to specify an IP address directly. The IPs authorized by the included domain's SPF record are then considered authorized. It's often used for email service providers .

What is the 10-DNS-lookup limit in SPF and how does it affect IP addresses?

The 10-DNS-lookup limit restricts the number of DNS queries an SPF record can make during evaluation. Mechanisms like a , mx , and include each count as one or more lookups. If you exceed this limit, your SPF record will result in a PermError, causing email authentication to fail. SPF flattening helps mitigate this by replacing include mechanisms with direct ip4 or ip6 entries, which do not count as lookups.

What happens if an IP address is not included in the SPF record?

If an email is sent from an IP address not included in your SPF record, it will fail SPF authentication. Depending on your SPF 'all' qualifier (e.g., ~all or -all ), the recipient server may mark the email as spam, quarantine it, or reject it entirely. This can lead to deliverability issues for legitimate emails .

How do I monitor my SPF record for changes?

Continuous monitoring of your SPF record and email sending behavior is vital. Platforms like Suped provide DMARC monitoring and reporting , which includes insights into SPF authentication results. This allows you to identify any failures or unexpected sending sources in real-time and take corrective action.

What SPF mechanism should be used for a specific IP address? - SPF - Email authentication - Knowledge base

A person analyzing network connections and email flow to understand SPF configuration.

When setting up Sender Policy Framework (SPF) for your domain, accurately identifying and authorizing legitimate sending IP addresses is crucial. This process ensures that recipient email servers recognize your emails as authentic, helping to prevent them from being flagged as spam or rejected outright. Incorrect SPF configurations are a common cause of deliverability issues, often leading to legitimate emails landing in the spam folder or not being delivered at all.

The core purpose of SPF is to declare which mail servers are permitted to send email on behalf of your domain. This declaration is made through a special DNS TXT record that lists these authorized sending sources. If an email is sent from an unauthorized server, SPF can instruct recipient servers to handle it with suspicion, improving your domain's security and reputation.

Among the various SPF mechanisms, specific ones are designed to directly address IP addresses or IP ranges. Understanding which mechanism to use for a particular IP address is fundamental to creating a precise and effective SPF record. Choosing the right mechanism ensures all your legitimate senders are covered without inadvertently opening your domain to unauthorized use or exceeding the SPF DNS lookup limit.

Using ip4 and ip6 for direct IP authorization

Understanding ip4 and ip6 mechanisms

For explicitly authorizing specific IPv4 or IPv6 addresses, the ip4 and ip6 mechanisms are your primary tools. These mechanisms allow you to list individual IP addresses or blocks of IP addresses using CIDR (Classless Inter-Domain Routing) notation directly within your SPF record. This is especially useful for mail servers you directly control or for dedicated IP addresses provided by your email service provider.

The ip4 mechanism is used for IPv4 addresses. You can specify a single IP address like ip4:192.0.2.1 or an IP range using CIDR notation, such as ip4:198.51.100.0/24. Similarly, the ip6 mechanism is for IPv6 addresses, used like ip6:2001:db8::1 or ip6:2001:db8::/32. It's important to use the correct mechanism for the IP version you are authorizing.

Using these mechanisms provides explicit control over which IP addresses are permitted. This level of granularity is excellent for managing your own infrastructure. However, it requires you to maintain an accurate list of all your sending IPs. Any changes to your sending infrastructure, such as adding new mail servers or migrating to a different hosting provider, will necessitate an update to your SPF record.

Example SPF record using ip4 and ip6 mechanismsDNS

v=spf1 ip4:192.0.2.1 ip4:198.51.100.0/24 ip6:2001:db8::1 ip6:2001:db8::/32 ~all

Considering dynamic IP addresses and third-party services

Alternative SPF mechanisms for IP authorization

While ip4 and ip6 mechanisms are ideal for directly specifying IP addresses, other mechanisms can implicitly authorize sending IPs based on DNS records. These are often more convenient for dynamic environments or when using third-party email services.

The a mechanism: Authorizes the IP addresses found in the A record of the current domain or a specified domain. For example, a would check the A record for your domain, while a:mail.example.com would check mail.example.com's A record. This is useful if your mail server uses the same IP as your website or a specific subdomain. You can learn more about how the 'a' mechanism works.
The mx mechanism: Authorizes all servers listed in the MX records of the current domain or a specified domain. This is common for domains that send mail directly from their designated mail exchange servers. For example, mx would include the MX records for your domain, and mx:example.com would check example.com's MX records. You can learn more about what the MX mechanism means.
The include mechanism: This mechanism delegates SPF authorization to another domain's SPF record. It's widely used when relying on third-party email service providers (ESPs) like Google Workspace or Microsoft 365. For instance, include:sendgrid.net would authorize SendGrid's sending IPs. The include mechanism also counts towards your 10-lookup limit, which is a critical consideration for SPF flattening.

Each of these mechanisms eventually resolves to a list of IP addresses that are authorized to send email. When choosing, consider whether your IP addresses are static or dynamic and if you manage your own mail servers or use a third-party service.

A person navigating different SPF mechanisms to authorize email sending IPs.

SPF best practices and common pitfalls

Best practices for IP-based SPF mechanisms

Properly configuring your SPF record, especially when dealing with IP addresses, requires careful attention to detail. A misconfigured SPF record can significantly harm your email deliverability, leading to legitimate emails being rejected or marked as spam. Here are some key best practices:

Key considerations for SPF ip4 and ip6 mechanisms

Be precise with CIDR notation: When using IP ranges, ensure your CIDR blocks are accurate. Overly broad ranges can authorize unintended senders, while overly narrow ones can cause legitimate emails to fail SPF authentication. You can check if SPF allows for CIDR notation in our documentation.
Avoid duplicate mechanisms: Listing the same IP or range multiple times, or including an IP that's already covered by an include mechanism, adds unnecessary bloat and can waste valuable DNS lookup slots.
Regularly review your SPF record: IP addresses can change, especially with cloud services or shared hosting. Periodic review helps ensure your record remains current and accurate.

Furthermore, always conclude your SPF record with an all qualifier to specify how recipient servers should handle emails from unauthorized sources. Options include ~all (softfail, mark as suspicious), -all (hardfail, reject unauthorized emails), or ?all (neutral, no instruction). The -all qualifier offers the strongest protection, but should only be used once you are confident all legitimate senders are authorized.

Remember that SPF is just one part of email authentication. For comprehensive protection, combine SPF with DKIM and DMARC. DMARC provides crucial reporting capabilities that allow you to monitor your email ecosystem and identify any SPF (or DKIM) authentication failures, giving you visibility into potential spoofing attempts and misconfigurations.

Resolving the 10-DNS-lookup limit with SPF flattening

Overcoming SPF limitations

A significant challenge with SPF is the 10-DNS-lookup limit. Each mechanism that requires a DNS query (like a, mx, ptr, and include) counts towards this limit. Exceeding it results in an SPF PermError, causing emails to fail authentication. This is where SPF flattening becomes essential. SPF flattening replaces include mechanisms with direct ip4 and ip6 mechanisms, reducing lookups.

Without SPF flattening

Multiple include mechanisms: Each include mechanism triggers a DNS lookup, quickly reaching the limit, especially with multiple ESPs.
SPF PermError: Exceeding 10 DNS lookups results in a PermError, causing SPF to fail and impacting email deliverability.
Manual updates: Requires manual intervention to update the SPF record when ESPs change their sending IPs, which can be time-consuming and error-prone.

With SPF flattening

Direct IP authorization: Include mechanisms are replaced with the actual ip4 and ip6 addresses, eliminating extra DNS lookups.
Reduced lookup count: Keeps your SPF record within the 10-lookup limit, preventing PermErrors and ensuring SPF validation.
Automated management: Platforms like Suped can automate SPF flattening, dynamically updating your record as IPs change, ensuring continuous compliance.

SPF flattening is crucial for maintaining a healthy email ecosystem, especially for organizations with complex sending infrastructures. It ensures that SPF continues to function correctly, safeguarding your domain's reputation and enhancing email deliverability.

Ensuring continuous SPF accuracy

Monitoring and maintenance

Even with a perfectly crafted SPF record, ongoing monitoring is essential. IP addresses can change, new sending services might be adopted, and third-party ESPs may update their infrastructure. Without consistent oversight, your SPF record can quickly become outdated, leading to authentication failures.

Utilizing a DMARC monitoring platform like Suped offers invaluable insights. We process DMARC reports (RUA and RUF) that provide aggregated and forensic data on your email sending. This data reveals which senders are passing or failing SPF and DKIM authentication, allowing you to quickly identify unauthorized sources or legitimate senders that are misconfigured.

Our platform's AI-powered recommendations go beyond just presenting data. We analyze your DMARC reports and provide actionable steps to fix any SPF issues, strengthen your policy, and improve overall email deliverability. This proactive approach helps protect your brand against phishing and spoofing attacks while ensuring your legitimate emails reach the inbox.

Mechanism	Description	Use Case	DNS lookups
ip4 / ip6	Directly specifies IPv4 or IPv6 addresses or CIDR ranges.	Your own mail servers, dedicated IPs.	0
a	Authorizes IPs from the A record of the current or specified domain.	Web server sending mail, or specific subdomains.	1
mx	Authorizes IPs from MX records of the current or specified domain.	Domains sending from their primary mail servers.	1 + N (for N MX records)
include	Refers to another domain's SPF record, authorizing its IPs.	Third-party email service providers.	1 + N (for N mechanisms in included SPF)

Final thoughts on SPF mechanisms

Choosing the correct SPF mechanism for a specific IP address depends on whether you control that IP directly or if it's managed by a third-party service. For directly controlled, static IPs, ip4 and ip6 mechanisms offer the most precise control. For third-party services, include mechanisms are usually the go-to, though careful management is needed to stay within the DNS lookup limit. Regular monitoring and leveraging tools like Suped ensure your SPF record remains effective and your emails are delivered reliably.

Implementing a strong email authentication strategy, including SPF, DKIM, and DMARC, is not just about security, but also about maintaining your sender reputation and achieving optimal deliverability. Without these foundational protocols, your emails are at a higher risk of being blocked, or classified as spam (or junk mail), severely impacting your communication efforts.

Our platform simplifies the complex world of email authentication, providing unified monitoring for DMARC, SPF, and DKIM, alongside insights into blocklists and deliverability. With features like real-time alerts and AI-powered recommendations, we make it easy to manage your email security, even for MSPs with multi-tenancy dashboards. Embrace a robust email security posture with Suped and ensure your emails always hit their mark.