September 4, 2021

For on-premises-only email system, why does people use all possible SPF mechanisms instead of just MX?

Hi folks,

Trying to harden an email system which were set up by former colleagues. We’ve briefly done for inbound controlling and started on hardening for outbound.

Is there any reason for people to configure all possible SPF mechanisms (MX, A, IP4), when a MX record is already a must for email system? Considering the only way outbound for us is through an email security gateway?

I understand that in other situations (hybrid cloud, Office 365, GSuite, etc.), people might want to specify different email delivery system, either by other A/IP4 or by including. However, what is the point when the MX points to the A, which resolves to the IPv4 of the sole email security gateway? Also, MX has the capability to point to different A/AAAA records of the domain, which completely eliminate the need for specifying A or IP4 mechanism in the SPF record, no?

e.g.

* MX example.com 10 smtp.example.com
* MX example.com 20 smtp-drc.example.com
* A smtp.example.com 192.0.2.10
* A smtp-drc.example.com 192.0.2.130
* SPF example.com v=spf1 mx a ip4:192.0.2.10 ip4:192.0.2.130 -all
* SPF could have been simplified as v=spf1 mx -all

Leave a Reply

Your email address will not be published. Required fields are marked *

Note: By filling this form and submitting your commen, you acknowledge, agree and comply with our terms of service. In addition you acknowledge that you are willingly sharing your email address with AiOWikis and you might receive notification emails from AiOWikis for comment notifications. AiOWiksi guarantees that your email address WILL NOT be used for advertisement or email marketting purposes.

This site uses Akismet to reduce spam. Learn how your comment data is processed.