SPF for Self-Hosted Mail Servers
Set up SPF for self-hosted mail servers like Postfix, Exim, or hMailServer. Learn when to use ip4, ip6, a, and mx mechanisms and how to combine with hosted services.
Your Self-Hosted Mail Server Emails Are Getting Rejected
You run your own mail server — maybe Postfix on Ubuntu, Exim on Debian, or hMailServer on Windows. You control the infrastructure, the configuration, the logs. But when you send an email to a Gmail or Outlook user, it bounces or lands in spam. The problem isn't your server configuration. It's that you haven't told the world your server is authorized to send email for your domain.
The Self-Hosted SPF Problem
When you host your own mail server, you're responsible for everything — including DNS authentication records. Unlike Google Workspace or Microsoft 365, there's no provider documentation telling you exactly what to add. You need to figure out which IP addresses and mechanisms to use.
Self-hosted setups have unique challenges:
- Your server IP address is the primary mechanism, and you need to get it exactly right
- If your IP changes (common with some hosting providers), your SPF record breaks
- You might also use hosted services for marketing or transactional email alongside your self-hosted server
- The
a,mx, andip4/ip6mechanisms each work differently and serve different purposes
For self-hosted mail servers, ip4: and ip6: mechanisms are the most reliable choice. They directly authorize your server's IP address and don't count toward the 10-lookup limit (only include:, a, mx, and redirect mechanisms trigger DNS lookups).
How SPF Creator Helps
IP address entry
Enter your server's IP addresses directly. SPF Creator formats the ip4: and ip6: mechanisms with correct syntax, including CIDR notation for ranges.
Mechanism selector
Choose between ip4, ip6, a, and mx mechanisms with guidance on when to use each one. No need to memorize SPF syntax.
Combine with hosted services
Running Postfix for your main email but using SendGrid for transactional messages? Add both in one record. SPF Creator merges IP mechanisms and includes seamlessly.
Validation
SPF Creator validates IP address format, CIDR ranges, and the overall record syntax before you publish.
Monitor your self-hosted email authentication
Track your SPF, DKIM, and DMARC records daily. Get alerts if your server IP changes break authentication.
Setting Up SPF for Your Mail Server
Find your server's IP addresses
Identify the public IP addresses your mail server uses for outbound email. If you're on a VPS, this is typically the server's primary IP. Run curl ifconfig.me on your server to confirm. If you have both IPv4 and IPv6, note both.
Open SPF Creator
Start a new record. Add your IP addresses using the IP address input. SPF Creator creates ip4: and ip6: entries for each.
Decide on additional mechanisms
If your server IP matches your domain's A record, you could use the a mechanism. If it matches your MX record, you could use mx. But explicit IP addresses are more reliable and don't consume DNS lookups.
Add hosted services if applicable
If you also use hosted services (SendGrid for transactional email, Mailchimp for newsletters), add their includes alongside your IP addresses.
Review and copy
A typical self-hosted record looks like: v=spf1 ip4:203.0.113.5 ip6:2001:db8::1 ~all. Copy the generated record.
Publish to DNS and verify
Add a TXT record on your root domain with the SPF value. If you manage your own DNS (BIND, PowerDNS), add it to your zone file and reload. After propagation, use SPF Record Check to confirm the record is live and valid.
Understanding the Mechanisms
ip4 and ip6
The most straightforward mechanisms. They authorize a specific IPv4 or IPv6 address (or range) to send email for your domain.
v=spf1 ip4:203.0.113.5 ip6:2001:db8::1 ~all
For IP ranges, use CIDR notation:
v=spf1 ip4:203.0.113.0/24 ~all
IP mechanisms don't count as lookups
Unlike include:, a, and mx, the ip4 and ip6 mechanisms require zero DNS lookups. If you're tight on the 10-lookup budget, replacing other mechanisms with explicit IPs is a good optimization.
a mechanism
The a mechanism authorizes the IP address that your domain's A record points to. Useful if your mail server runs on the same IP as your website.
v=spf1 a ~all
This does consume one DNS lookup. If your A record changes (e.g., you move your website), your SPF authorization changes too — which may not be what you want.
mx mechanism
The mx mechanism authorizes the IP addresses of your domain's MX records. This makes sense if your inbound and outbound mail servers are the same.
v=spf1 mx ~all
This also consumes DNS lookups — one for the MX query, plus one for each A record resolution of each MX host.
Avoid using mx if your MX records point to a third-party spam filter (like Barracuda or Mimecast) that doesn't also handle your outbound email. The mx mechanism would authorize the wrong servers.
With SPF configured for your self-hosted server, the next steps are generating DKIM keys (your mail server needs to sign outbound messages) and setting up a DMARC policy to tell receivers how to handle authentication failures.
Common Self-Hosted Combinations
| Setup | SPF Record |
|---|---|
| Single server | v=spf1 ip4:203.0.113.5 ~all |
| Server + backup MX | v=spf1 ip4:203.0.113.5 ip4:198.51.100.10 ~all |
| Server + SendGrid | v=spf1 ip4:203.0.113.5 include:sendgrid.net ~all |
| Server + Google Workspace | v=spf1 ip4:203.0.113.5 include:_spf.google.com ~all |
| IPv4 + IPv6 | v=spf1 ip4:203.0.113.5 ip6:2001:db8::1 ~all |
| IP range | v=spf1 ip4:203.0.113.0/24 ~all |
Pricing
Free
$0
- Up to 3 items
- Email alerts
- Basic support
Pro
$9/month
- Unlimited items
- Email + Slack alerts
- Priority support
- API access
Related Articles
Monitor Your New SPF Record
You've created your SPF record — now make sure it keeps working. The Email Deliverability Suite watches your SPF, DKIM, DMARC, and MX records daily and alerts you when something breaks.
Never miss an SPF issue
Monitor your SPF, DKIM, DMARC and MX records daily. Get alerts when something breaks.
Start Monitoring