What is the best practice for using IP addresses in SPF records?

Key findings

• Direct IP inclusion: Directly listing IP addresses using ip4 or ip6 mechanisms is a valid and often preferred method, especially for static IPs.
• DNS lookup limit: Using direct IP addresses helps in avoiding exceeding the 10-DNS-lookup limit for SPF records.
• Dynamic IP addresses: Dynamic IP addresses, typically from residential ISPs, should be excluded from SPF records as they change frequently and can cause authentication failures.
• MX mechanism: The mx mechanism authorizes IP addresses of the domain's MX records, which are primarily for inbound mail, and may not be suitable for outbound sending without careful consideration of your email authentication practices.
• CIDR notation: Using CIDR notation for IP address ranges is an efficient way to include multiple IPs without individual listings.
• Security layer: SPF records, by authenticating authorized IP addresses, add a crucial layer of email security.

Key considerations

• Accuracy is key: Only include IP addresses that are genuinely authorized to send email on behalf of your domain. Unauthorized IPs can lead to blocklisting.
• Static vs. dynamic IPs: Always ensure the IP addresses listed are static and reliably associated with your sending infrastructure. Avoid dynamic IPs.
• Regular audits: Periodically review your SPF record to remove any outdated or unused IP addresses, as recommended by Mailgun's SPF records guide.
• Consider future changes: While direct IPs save lookups, they require manual updates if your sending IP addresses change. Using domain-based mechanisms like include or a can be more flexible for ESPs.
• Subdomain usage: For different types of email (e.g., transactional vs. marketing), consider using separate subdomains with their own SPF records tailored to the specific sending IPs.

Key opinions

• Direct IP use is normal: Many marketers view direct inclusion of IP addresses as a standard and acceptable practice within SPF records, especially for stable sending infrastructures.
• DNS lookup benefits: A key advantage of using direct IPs is that it helps in managing the limited number of DNS lookups an SPF record can perform, reducing the risk of SPF validation failures.
• MX mechanism confusion: There can be confusion around the mx mechanism, as MX servers are primarily for inbound mail, not necessarily outbound.
• Separate subdomains for ESPs: It is widely recommended that marketing emails sent through Email Service Providers (ESPs) should use their own dedicated subdomains for SPF.
• Auditing SPF records: Regular audits of SPF records are crucial to ensure accuracy and prevent issues, especially when managing various sending sources.

Key considerations

• Intent clarification: Always clarify the sender's intent when an SPF record contains an mx mechanism alongside specific IP addresses, as MX servers are not always intended for outbound mail.
• Maintenance overhead: Direct IP listing requires manual updates if the sending infrastructure's IPs change. This can be a significant administrative burden compared to using include statements.
• Security vs. convenience: Marketers need to balance the convenience of direct IP inclusion (bypassing DNS lookups) with the potential security risks if an unauthorized IP is accidentally included.
• Safe to add IPs: It is generally considered safe to add legitimate IP addresses to an SPF record, as this is precisely what the record is designed for, as discussed on Security Stack Exchange.
• Avoiding dynamic IPs: Marketers should be wary of including dynamic IP addresses from sources like residential ISPs, as their transient nature can quickly invalidate SPF authentication.

Key opinions

• Precision is crucial: Experts advise that SPF records should precisely list all authorized IP addresses to prevent unauthorized sending and ensure proper authentication.
• Minimize unnecessary lookups: While direct IPs save lookups, experts also warn about exceeding the 10-lookup limit with other mechanisms.
• Static IPs are ideal: It is generally preferred to use static IP addresses for sending mail and include them directly or via reliable hostname lookups.
• CIDR for ranges: Using CIDR notation for ranges is considered efficient and good practice for managing multiple IPs from a single provider.
• Avoiding over-permissiveness: SPF records should not be overly broad or permissive, only authorizing necessary IP addresses and ranges to prevent email spoofing.

Key considerations

• Regular review: Experts highlight the need for periodic review of SPF records to ensure all listed IPs are still actively used and authorized.
• Impact of changes: Understand that direct IP entries require manual updates if IP addresses change. This makes mechanisms like include more flexible for ESPs that manage their IP pools.
• Combining mechanisms: A well-configured SPF record often combines direct IP entries with include statements for third-party senders, balancing simplicity and comprehensive coverage as outlined in DuoCircle's SPF guide.
• Record length: While not a hard limit like lookups, overly long SPF records can be harder to manage and prone to errors. Using CIDR and consolidating entries helps keep them concise. More information on formatting is in our SPF formatting guide.
• Dedicated subdomains: For various sending purposes, experts often advocate for using specific subdomains, each with its own SPF record, to isolate sending reputation and simplify management.

Key findings

• Authorized IP listing: Documentation consistently states that SPF records must list only the IP addresses and servers explicitly authorized to send email for a domain.
• Dynamic IP exclusion: Technical guides, such as those by AutoSPF, warn against including dynamic IP addresses due to their frequent changes and instability for authentication.
• CIDR notation: Many guides highlight the efficiency of using CIDR notation to define IP address ranges within SPF records, rather than individual IP addresses.
• Purpose of mx: The mx mechanism authorizes Mail Exchanger (MX) records, which are primarily for receiving mail. Its inclusion should be deliberate and align with outbound sending intentions.
• Single SPF record: Documentation stresses that a domain should have only one SPF record (one TXT record beginning with v=spf1) with all IP addresses and mechanisms listed within it.

Key considerations

• Maintaining accuracy: Ensure the SPF record accurately reflects all current sending IP addresses. Regular maintenance is essential, as incorrect IPs can lead to legitimate emails being blocklisted or delivered to spam.
• DNS lookup limits: Carefully manage the number of DNS lookups triggered by SPF mechanisms. Direct IP addresses do not count towards the 10-lookup limit, which is a significant advantage, as highlighted by SendLayer.
• Over-permissiveness: As noted by DMARC Manager, avoid overly permissive SPF records that authorize more IP addresses or ranges than strictly necessary, as this increases vulnerability to spoofing.
• Authentication process: Documentation describes how SPF works by checking if the sender's IP address matches any of the approved IPs in the record, validating the sender. This process is key to email security.
• Consolidate IPs: When creating an SPF record, all IP addresses should be entered into a single record, not spread across multiple SPF records for the same domain.