SPF record -- why do we use `+a` alongside `+mx`?
Why do administrators mostly use +a
alongside +mx
in SPF records?
This is the example:
@ 10800 IN TXT "v=spf1 +a +mx -all"
Isn't it enough to only use +mx
parameter e.g.:
@ 10800 IN TXT "v=spf1 +mx -all"
I thought MX record's task is to send email and not A record's. Can anyone explain the scenario why would anyone use +a
then?
Solution 1:
Frankly because they have copied the configuration from some tutorial or example configuration without knowing the basic principles of SPF. Sometimes it's desired that e.g. both a web server in a
and incoming mail exchanges mx
are also used for sending mail, but not nearly always.
It's better to favor mechanisms with less additional DNS queries: ip4
/ip6
over a
and a
over mx
(RFC 7208, 10.1.1) And even if, for easier administration (10.1.2), a
mechanism is chosen, it's not always a mx
or a
, but e.g. a:relay.example.com
.
Solution 2:
The task of the hosts listed in MX
records is to receive email, not necessarily to deliver email.
It's entirely valid (and quite common, particularly for larger operations) to have an asymmetric setup where the hosts handling inbound and outbound email are not the same.
That is, there is no guarantee that either mx
(aka +mx
) or a
(aka +a
) in SPF is a relevant for specifying which hosts are expected to deliver email.
As an example, if you don't run your own mail servers, maybe something like v=spf1 include:spf.majoremailserviceprovider.example -all
would be more relevant.
To directly address the question about why the a mx
combination in particular appears to be overrepresented in SPF records, my guess is that this situation boils down to all too many administrators adding SPF records without understanding the SPF concepts well enough to judge what to put in their policy, instead just copy-pasting some arbitrarily constructed examples.
Solution 3:
I agree with the other answers that +a +mx
is probably a cargo-culted anti-idiom.
Regarding when you would use +a
, the RFC document answers this in section 10.1.2:
Publishing SPF records for individual hosts is also best practice. The host name is generally the identity used in the 5321.HELO/.EHLO command. In the case of messages with a null 5321.MailFrom, this is used as the domain for 5321.MailFrom SPF checks, in addition to being used in 5321.HELO/.EHLO-based SPF checks. The standard SPF record for an individual host that is involved in mail processing is:
relay.example.com. IN TXT "v=spf1 a -all"
For example, I publish such a record for my mail server mail.mydomain.org
, for the benefit of verifiers that verify the HELO identity first. (Of course, I also publish the customary v=spf1 mx -all
record at the mail domain mydomain.org
itself.)