SPF Include vs Redirect vs A vs MX: When to Use Each Mechanism

SPF Mechanism Overview

SPF mechanisms tell receiving servers which IPs are authorized to send email for your domain. Each mechanism has different use cases and lookup costs.

Mechanism	DNS Lookups	Use Case
include	1+	Authorize ESPs and third-party senders
ip4 / ip6	0	Authorize specific IP addresses
a	1	Authorize your domain's A record IP
mx	1+	Authorize your mail server IPs
redirect	1+	Delegate entirely to another domain
exists	1	Advanced macro-based authorization

include — Authorizing ESPs

Syntax: include:domain.com

What it does: Adds all IPs authorized by another domain's SPF record to your authorized list.

Example:

v=spf1 include:_spf.google.com include:sendgrid.net ~all

When to use:

• Authorizing any ESP (SendGrid, Mailgun, Postmark, etc.)
• Authorizing Google Workspace or Microsoft 365
• Any third-party service that sends email for you

Lookup cost: 1 lookup + any nested includes in the target record. Google Workspace's _spf.google.com alone triggers 3-4 lookups.

Practitioner note: Include is the right choice 90% of the time. ESPs update their sending IPs regularly—include automatically follows those changes. Hardcoding IPs with ip4 creates maintenance headaches when ESPs rotate infrastructure.

ip4 and ip6 — Static IP Addresses

Syntax: ip4:192.0.2.1 or ip4:192.0.2.0/24 (CIDR notation)

What it does: Authorizes specific IP addresses or ranges.

Example:

v=spf1 ip4:203.0.113.50 ip4:198.51.100.0/24 ~all

When to use:

• Dedicated IPs from your ESP that won't change
• Self-hosted mail servers with static IPs
• Reducing lookup count when hitting the limit

Lookup cost: Zero. IP mechanisms don't require DNS resolution.

Risks: If the IP changes, you must manually update your SPF record. ESPs rotate IPs—don't assume they're permanent.

a — Your Domain's A Record

Syntax: a or a:other-domain.com

What it does: Authorizes the IP address(es) in your domain's A record (or another specified domain).

Example:

v=spf1 a include:sendgrid.net ~all

When to use:

• Your web server also sends email (rare today)
• You run a mail server on your main domain IP

When NOT to use:

• Your web server doesn't send email (most modern setups)
• You use separate infrastructure for web and email

Lookup cost: 1 DNS lookup.

Practitioner note: I remove the a mechanism from most client SPF records. It's a holdover from when web servers and mail servers lived on the same IP. Modern infrastructure separates these—a just wastes a lookup for most domains.

mx — Your Mail Servers

Syntax: mx or mx:other-domain.com

What it does: Authorizes the IP addresses of your MX (mail exchange) servers.

Example:

v=spf1 mx include:sendgrid.net ~all

When to use:

• Your inbound mail servers also send outbound email
• Self-hosted setups where MX servers handle both directions

When NOT to use:

• You use separate inbound/outbound mail infrastructure
• MX points to Google/Microsoft (already covered by their include)

Lookup cost: 1 DNS lookup + 1 per MX server resolved. If you have 3 MX records, that's 4 lookups total.

redirect — Complete Delegation

Syntax: redirect=other-domain.com

What it does: Completely replaces your SPF evaluation with another domain's record. Not the same as include—redirect takes over entirely.

Example:

v=spf1 redirect=_spf.example.com

When to use:

• Managing multiple domains that should share identical SPF policies
• Centralizing SPF management for a domain family

When NOT to use:

• When you need to add domain-specific mechanisms
• When you want to combine with other includes

Important: Redirect must be the only mechanism (except for exp). You can't use redirect with includes.

Lookup cost: 1+ lookups (follows the target record's chain).

Practitioner note: I rarely recommend redirect. It gives another domain total control over your SPF policy. Most "I want to share SPF across domains" cases are better solved by including a common subdomain record from each domain.

exists — Advanced Macros

Syntax: exists:%{i}._spf.example.com

What it does: Performs a DNS lookup using macros (like sender IP) to check authorization.

Example:

v=spf1 exists:%{i}._spf.example.com ~all

When to use:

• Advanced scenarios where you need IP-specific lookups
• Large organizations with complex IP management

When NOT to use:

• Standard ESP authorization
• Anything that can be solved with include or ip4

Lookup cost: 1 DNS lookup.

Most domains never need exists. It's for specialized enterprise scenarios.

Combining Mechanisms

Typical small business:

v=spf1 include:_spf.google.com include:sendgrid.net ~all

Ecommerce with dedicated IPs:

v=spf1 include:_spf.google.com ip4:192.0.2.50 include:_spf.klaviyo.com ~all

Self-hosted mail server:

v=spf1 mx ip4:203.0.113.10 ~all

Agency with multiple ESPs:

v=spf1 include:_spf.google.com include:sendgrid.net include:mailgun.org include:servers.mcsv.net ~all

Mechanism Order

SPF mechanisms are evaluated left to right. Place more specific mechanisms first:

v=spf1 ip4:192.0.2.50 include:sendgrid.net include:_spf.google.com ~all

The first matching mechanism determines the result.

Lookup Budget Planning

You have 10 DNS lookups total. Plan your budget:

Mechanism	Typical Cost
Google Workspace include	3-4 lookups
Microsoft 365 include	2-3 lookups
SendGrid include	3-4 lookups
Mailgun include	1-2 lookups
ip4 (any number)	0 lookups
a	1 lookup
mx	1 + MX count lookups

If you're approaching the limit, replace includes with ip4 for static IPs or consider SPF flattening.

If you need help optimizing your SPF record to stay under the lookup limit while authorizing all senders, schedule a consultation.

Sources

• RFC 7208: Sender Policy Framework (SPF), Section 5 - Mechanisms
• dmarcian: SPF Mechanism Reference
• MXToolbox: SPF Record Testing
• IETF: SPF DNS Lookup Limits

---

v1.0 · March 2026