Understanding SPF Record Best Practices: Why Combining +a and +mx Mechanisms is Essential for Email Security


2 views

SPF (Sender Policy Framework) records are DNS TXT records that specify which mail servers are authorized to send email on behalf of your domain. The typical SPF record structure includes mechanisms like:

v=spf1 +a +mx -all

While +mx authorizes mail servers listed in your MX records, +a serves two critical purposes:

  • Authorizes the domain's A record (primary IP address) to send mail
  • Acts as a fallback when MX records might not cover all sending scenarios

Consider these common cases where +a becomes necessary:

# Scenario 1: Web applications sending transactional emails
# The webserver (A record) needs authorization even if it's not in MX records
v=spf1 a:webserver.example.com +mx -all

# Scenario 2: Legacy systems using hostname rather than dedicated mail servers
v=spf1 +a +mx -all

Using both mechanisms provides redundancy:

Mechanism Lookups Coverage
+mx only 1 DNS query Only mail servers
+a +mx 2 DNS queries Complete coverage

For optimal email deliverability:

# Recommended basic SPF record
@ IN TXT "v=spf1 +a +mx ~all"

# For complex environments
@ IN TXT "v=spf1 include:_spf.google.com +a +mx -all"

# When using third-party email services
@ IN TXT "v=spf1 include:spf.protection.outlook.com +a +mx -all"
  • Don't use +a alone (might authorize unintended senders)
  • Limit SPF record to 10 DNS lookups maximum
  • Avoid ?all (neutral) in production environments

Many administrators include both +a and +mx mechanisms in their SPF records like this:

@ 10800 IN TXT "v=spf1 +a +mx -all"

While this seems redundant at first glance, there are legitimate technical reasons for this configuration.

MX records specifically point to mail servers, while A records resolve to IP addresses. The key differences:

  • MX records: Direct mail delivery to your mail servers (e.g., mail.example.com)
  • A records: Resolve your base domain to an IP (e.g., example.com → 192.0.2.1)

Consider these real-world cases where +a becomes necessary:

1. Web Servers Sending Mail

Many CMS platforms send transactional emails directly from web servers:

# WordPress example sending password reset emails
"v=spf1 +a +mx -all"  # Allows web server IP via A record

2. Legacy Mail Configurations

Older systems might send mail directly from the domain's primary IP:

# Classic cPanel setup
"v=spf1 a:example.com mx -all"

3. Subdomain Delegation

When using separate mail and web infrastructure:

# Mail handled by Google Workspace
"v=spf1 include:_spf.google.com +a -all"

While +mx alone covers most cases, adding +a provides:

  • Faster resolution for web-originated mail
  • Redundancy if MX records fail
  • Support for legacy systems

For most modern setups, we recommend:

# Optimal balanced configuration
"v=spf1 mx a -all"

# For cloud-heavy infrastructures
"v=spf1 include:spf.protection.outlook.com include:_spf.google.com a -all"

Cases where +a might be unnecessary:

  • Dedicated mail servers with no web components
  • Strict separation of services
  • When using IPv6 without proper AAAA records

Always test SPF records with tools like MXToolBox before deployment.