When you're setting up your email authentication, you'll quickly come across Sender Policy Framework (SPF). In essence, an SPF record is a way for you to tell the world which mail servers are permitted to send email on behalf of your domain. As Kinsta puts it, it's a TXT record that contains a list of authorized mail servers. This list is defined using a series of 'mechanisms'.
To answer the question directly, the SPF mechanisms used to specify a list of IP addresses are ip4 and ip6. These allow you to explicitly list the IPv4 and IPv6 addresses that have permission to send emails for your domain.
Direct IP address mechanisms: ip4 and ip6
The most straightforward way to authorize an IP address in your SPF record is by using the ip4 and ip6 mechanisms. These are designed for adding specific IP addresses directly into your record.
The ip4 mechanism is used for IPv4 addresses and address ranges. For a single IP, you would write ip4:192.0.2.1. You can also specify a range of IPs using CIDR notation, such as ip4:192.0.2.0/24. This is helpful if you send email from a block of servers. Similarly, the ip6 mechanism works the same way for IPv6 addresses, for example ip6:2001:db8::1.
Indirect IP address mechanisms
While ip4 and ip6 are direct, other mechanisms indirectly specify IP addresses by referencing other DNS records. The most common ones are a and mx.
The 'a' mechanism: This mechanism authorizes the IP address found in the A record (or AAAA record for IPv6) of a domain. If you write just a in your SPF record, it refers to the A record of the current domain. You can also specify another domain, like a:mail.example.com. This is very convenient because if your server's IP address changes, you only need to update the A record, and your SPF record remains valid.
The 'mx' mechanism: This authorizes any server listed in your domain's MX records. MX records define where email for your domain should be delivered, and often, the same servers send outgoing mail. So, the mx mechanism checks the A records of your MX hosts and authorizes those IP addresses. NsLookup.io has a practical guide that explains this and other mechanisms well.
Putting it all together: an example SPF record
A typical SPF record combines these mechanisms to build a complete policy. Let's look at an example for a domain 'example.com':
v=spf1 ip4:192.0.2.1 a mx include:_spf.google.com ~all
Here’s a breakdown of what this record does:
- v=spf1: This defines the record as an SPF record (version 1).
- ip4:192.0.2.1: Authorizes the specific IPv4 address 192.0.2.1.
- a: Authorizes the IP address in the A record for example.com.
- mx: Authorizes the servers listed in example.com's MX records.
- include:_spf.google.com: Includes Google's SPF record, authorizing their servers to send email for you (useful if you use Google Workspace).
- ~all: This is a qualifier that means any server not listed here should be treated as a 'SoftFail', meaning the email is suspicious but not necessarily rejected outright.
To summarize, while several mechanisms can point to authorized IP addresses, ip4 and ip6 are the specific tools for listing IP addresses directly in your SPF record. Combining them with other mechanisms like a, mx, and include gives you a flexible and powerful way to secure your domain's email.
What SPF mechanism allows for IP addresses?
What SPF mechanism includes the A records of a domain?
What SPF mechanism includes the MX records of a domain?
What SPF mechanism includes the IP addresses of the sending domain?
What SPF mechanism references the mail exchanger records?
What SPF mechanism should be used for a specific IP address?
