SPF a vs mx Mechanisms: When to Use Each
The SPF a and mx mechanisms both authorize servers by hostname, but they resolve differently. Learn when to use each — and when ip4 is the better choice.
The SPF a and mx mechanisms both authorize sending servers by resolving domain names to IP addresses. But they resolve different DNS record types, serve different purposes, and cost different numbers of DNS lookups. Choosing the right one — or skipping both in favor of ip4 — can make your SPF record more efficient and easier to maintain.
The Comparison
| Feature | a mechanism | mx mechanism | ip4/ip6 mechanism |
|---|---|---|---|
| What it resolves | A/AAAA records of a domain | MX records, then A/AAAA of each | Nothing (direct IP) |
| DNS lookups consumed | 1 | 1 + 1 per MX host | 0 |
| Best for | Web servers that send email | Authorizing mail server IPs | Known, static IPs |
| Updates automatically | Yes, when A record changes | Yes, when MX records change | No, manual update required |
| Lookup efficiency | Good | Moderate | Best |
How the a Mechanism Works
The a mechanism checks whether the sending server's IP matches the A (or AAAA) record of a domain. By default, it checks the current domain, but you can specify any domain.
v=spf1 a ~all
This says: "The IP address that my domain's A record points to is authorized to send email." If your domain example.com has an A record pointing to 203.0.113.5, then email from 203.0.113.5 passes SPF.
You can also specify a different domain:
v=spf1 a:mail.example.com ~all
This resolves mail.example.com to its IP address and authorizes that IP.
When the a Mechanism Makes Sense
The a mechanism is useful when your web server also sends email. If your application server handles outbound transactional email (order confirmations, password resets, notifications), and that server's IP is the same as your domain's A record, then a is a clean way to authorize it.
It is also useful when you want the SPF record to automatically update if the server IP changes. Since a resolves the DNS record at check time, changing your A record automatically updates which IP is authorized.
The a mechanism costs exactly one DNS lookup, regardless of whether the domain has one A record or multiple. If the domain has both A and AAAA records, both are checked against the sending IP.
How the mx Mechanism Works
The mx mechanism checks whether the sending server's IP matches any of the domain's MX records. It first looks up the MX records to get the mail server hostnames, then resolves each hostname to get their IP addresses.
v=spf1 mx ~all
This says: "Any server listed in my MX records is authorized to send email." If your MX records point to mail1.example.com and mail2.example.com, the IPs of both servers are authorized.
Like a, you can specify a different domain:
v=spf1 mx:example.com ~all
When the mx Mechanism Makes Sense
The mx mechanism is logical when your inbound mail servers also handle outbound email. This is common with self-hosted mail servers running Postfix, Exim, or Exchange — the same server receives and sends mail.
It is also useful when you do not know (or do not want to hard-code) the specific IPs of your mail servers. If your MX records point to a hosting provider that might change IPs, the mx mechanism adapts automatically.
The mx mechanism can be expensive in DNS lookups. It costs 1 lookup for the MX query, plus 1 additional lookup for each MX hostname that needs to be resolved to an IP. If you have 4 MX records, that is up to 5 lookups for a single mechanism. The SPF spec limits MX resolution to 10 MX records per mechanism to prevent abuse.
DNS Lookup Costs
This is where the practical difference matters most. You have a hard limit of 10 DNS lookups per SPF evaluation, and a, mx, and include all consume lookups.
a mechanism: 1 DNS lookup. It resolves the A/AAAA record of the specified domain. Simple and predictable.
mx mechanism: 1 DNS lookup for the MX query, plus 1 for each unique MX hostname that needs A/AAAA resolution. A domain with 3 MX records costs up to 4 lookups total.
ip4/ip6 mechanism: 0 DNS lookups. The IP is right there in the record. No resolution needed.
Monitor your DNS lookup count
Track your SPF record daily and get alerts if lookup counts change or mechanisms break.
When to Use ip4 Instead
In many cases, neither a nor mx is the best choice. If you know the static IP addresses of your sending servers, ip4 (or ip6) is more efficient:
v=spf1 ip4:203.0.113.5 ip4:198.51.100.0/24 ~all
Use ip4/ip6 when:
- Your sending server IPs are static and unlikely to change
- You are running low on DNS lookups and need to optimize
- You want the most predictable, fastest SPF evaluation
- You are authorizing a cloud server with a dedicated IP
The tradeoff: If the IP changes, you have to manually update the SPF record. With a or mx, the SPF record automatically reflects DNS changes.
Best practice for most setups
Use ip4/ip6 for your own servers with static IPs (zero lookups), and include for third-party email providers like Google Workspace or SendGrid (they manage their own IP ranges). Reserve a and mx for cases where you genuinely need automatic IP resolution.
Combining Mechanisms
You can use a, mx, and ip4 together in the same record:
v=spf1 ip4:203.0.113.5 a:app.example.com mx include:_spf.google.com ~all
This authorizes:
- The specific IP
203.0.113.5(0 lookups) - The IP of
app.example.com(1 lookup) - All mail servers from the MX records (1+ lookups)
- Google Workspace's sending servers (1+ lookups from include)
Be mindful of the total lookup count. Every a, mx, and include adds at least one lookup. A record that looks simple can quickly approach the 10-lookup limit.
Common Patterns
Web app that sends email
v=spf1 a include:_spf.google.com ~all
The a mechanism covers the web server. The include covers Google Workspace for employee email.
Self-hosted mail server
v=spf1 mx ~all
Simple and effective if your inbound and outbound servers are the same.
Optimized for lookups
v=spf1 ip4:203.0.113.5 ip4:198.51.100.10 include:_spf.google.com ~all
Static IPs use zero lookups, leaving more room for includes.
Multiple services, approaching the limit
v=spf1 ip4:203.0.113.0/24 include:_spf.google.com include:sendgrid.net include:amazonses.com ~all
Using ip4 instead of a or mx saves lookups for the includes that need them. Remember to also set up DKIM and DMARC alongside your SPF record for complete email authentication.
Bottom Line
Use a when your web server sends email and you want the authorized IP to update automatically with your A record. Use mx when your inbound mail servers also send outbound mail and you need the authorized IPs to track your MX records. Use ip4/ip6 when you know the exact IPs and want maximum lookup efficiency. For most modern setups with cloud email providers, ip4 for your own servers plus include for third-party senders is the most practical approach. After publishing, verify your record resolves correctly with SPF Record Check.
Related Articles
Monitor Your New SPF Record
You've created your SPF record — now make sure it keeps working. The Email Deliverability Suite watches your SPF, DKIM, DMARC, and MX records daily and alerts you when something breaks.
Never miss an SPF issue
Monitor your SPF, DKIM, DMARC and MX records daily. Get alerts when something breaks.
Start Monitoring