Trying to harden an email system which were set up by former colleagues. We’ve briefly done for inbound controlling and started on hardening for outbound.
Is there any reason for people to configure all possible SPF mechanisms (MX, A, IP4), when a MX record is already a must for email system? Considering the only way outbound for us is through an email security gateway?
I understand that in other situations (hybrid cloud, Office 365, GSuite, etc.), people might want to specify different email delivery system, either by other A/IP4 or by including. However, what is the point when the MX points to the A, which resolves to the IPv4 of the sole email security gateway? Also, MX has the capability to point to different A/AAAA records of the domain, which completely eliminate the need for specifying A or IP4 mechanism in the SPF record, no?
* MX example.com 10 smtp.example.com
* MX example.com 20 smtp-drc.example.com
* A smtp.example.com 192.0.2.10
* A smtp-drc.example.com 192.0.2.130
* SPF example.com v=spf1 mx a ip4:192.0.2.10 ip4:192.0.2.130 -all
* SPF could have been simplified as v=spf1 mx -all