Should sending domains resolve to the same IP addresses as mail servers?

Key findings

• Domain resolution: Sending domains (especially return-path/bounce address domains) do not always need to resolve to an IP address that matches the mail server's sending IP. They can, but this resolution often pertains to website hosting rather than email sending itself.
• SPF vs. A records: SPF records validate the sending IP address against a list of authorized IPs for the envelope-from domain, not necessarily the IP address that the sending domain's A record resolves to. The IP addresses that sending domains resolve to are often unrelated to the IP addresses from which email is actually sent, so they do not need to be included in SPF records.
• DNS requirements: Sending domains should ideally have MX records, or A records if MX records are not present. This ensures proper DNS resolution for mail handling, even if it's not directly for outgoing mail.
• Whitelisting IPs: Relying on IP whitelisting for email delivery is outdated and problematic. IP addresses can change frequently, leading to constant updates and potential deliverability issues. Domain authentication (SPF, DKIM, DMARC) is the modern and robust approach.

Key considerations

• Educate clients: It is crucial to clarify the distinction between a website's domain resolution and an email sending domain's authentication process. Clients should focus on authenticating mail via domain-level mechanisms, not necessarily IP addresses, for safelisting.
• SPF record accuracy: Ensure your SPF record accurately reflects all authorized sending sources (e.g., your ESP). Inaccurate SPF records are a primary cause of deliverability problems.
• Reverse DNS: While sending domains don't need matching A records, the sending IP address should have a reverse DNS (PTR) record that resolves back to a valid hostname. This is a common anti-spam check. Find out more about reverse DNS best practices.
• Focus on authentication: Prioritize robust SPF, DKIM, and DMARC setup over IP-based whitelisting requests to ensure emails are correctly authenticated and delivered.

Key opinions

• Client confusion is common: Clients frequently misunderstand how email sending domains function, often expecting them to resolve like website domains.
• Sending domains for email: Subdomains dedicated to email sending (e.g., for bounce addresses) are not websites and therefore do not typically resolve to IP addresses in the traditional sense for web browsing.
• Focus on authentication: It is more important for email marketers to ensure their SPF, DKIM, and DMARC records are correctly configured and aligned with their ESP's sending infrastructure.
• IP whitelisting challenges: Asking clients to whitelist IPs can be inefficient, as ESPs often use dynamic IP ranges that can change, leading to ongoing maintenance and potential deliverability issues.

Key considerations

• Streamline safelisting: Instead of providing IP lists, guide clients to whitelist based on domain authentication (e.g., authenticated mail from your domain). This approach is more stable and robust.
• Verify ESP setup: Regularly confirm with your ESP that your DNS records (SPF, DKIM) are correctly set up and maintained, especially if your ESP uses a third-party sender like SendGrid.
• Proactive communication: Educate clients upfront about modern email authentication methods to prevent confusion and ensure smoother email delivery. This helps avoid emails going to spam.
• Subdomain configuration: Understand how your ESP configures subdomains (like em.info.domain.com) for mail sending, as they may have specific CNAME or MX record requirements for tracking and deliverability.

Key opinions

• Return-path domains: The sending domain, particularly the return-path or bounce address, does not strictly need to resolve to any specific IP address for email sending functionality.
• Separation of concerns: The IP address that a sending domain resolves to (e.g., for a website) is typically unrelated to the IP address from which the email is actually sent. This distinction is vital for accurate deliverability assessments.
• SPF and DKIM's role: Email authentication mechanisms like SPF and DKIM are designed to verify the sender without requiring recipients to deal with specific IP addresses for whitelisting. This provides a more robust and scalable solution.
• Dynamic IPs: IP addresses used by ESPs can change, making IP-based whitelisting impractical and prone to breakage. Domain-based authentication mitigates this issue.

Key considerations

• Accurate SPF records: Ensure your SPF records correctly authorize the IP addresses or include mechanisms (include) for your ESP, rather than attempting to list resolved domain IPs. Learn more about SPF TempErrors.
• Client education: Advise clients to whitelist authenticated mail from your sending domain(s), potentially specifying the DKIM d= and SPF authenticated return path hostnames for clarity.
• DNS health for mail servers: Confirm that the actual mail servers have proper DNS records, including MX records or A records, even if your sending domain (like the return-path) doesn't have a direct A record. This is a critical component for deliverability, as discussed in whether an A record is needed.
• Diagnose with precision: When troubleshooting, avoid mixing up website domain resolution with email sending IP authentication to prevent further confusion for yourself and clients.

Key findings

• Reverse DNS importance: Reverse DNS (PTR) records are crucial. Mail servers use them to match an IP address to a domain name as part of anti-spam checks. The RIPE Labs documentation recommends that a sending IP should have reverse DNS.
• Domain authentication priority: All emails should carry some form of domain authentication. This is prioritized over direct A record resolution of the sending domain to the mail server IP for verification.
• SPF record content: SPF records primarily list the IP addresses and mail servers that are authorized to send email on behalf of a domain. This focuses on the sending source, not necessarily the A record of the domain itself.
• CNAME usage: CNAME records are often used to point a subdomain to another domain, which then resolves to an IP. This is common for tracking domains in email marketing and can resolve to the same IP as a root domain for web services.

Key considerations

• DNS interplay: Understand the distinct roles of A, MX, PTR, SPF, and DKIM records. While A records map hostnames to IPs and MX records direct mail, SPF and DKIM are for sender authentication, ensuring mail integrity, as detailed in a simple guide to DMARC, SPF, and DKIM.
• Avoiding misconfigurations: Be careful not to confuse the IP addresses that a domain resolves to for web traffic with the IP addresses that are authorized to send email via SPF. Improper SPF configuration can cause deliverability issues.
• SPF include mechanism: Many ESPs (like SendGrid or Braze) manage their own sending IPs. Your SPF record should typically use the include mechanism to delegate SPF authorization to them, rather than listing specific IP addresses directly.