Home / server / Questions / 1047763
Accepted
71GA
Asked: 2020-12-29 01:11:56 +0800 CST

SPF record -- why do we use `+a` alongside `+mx`?

  • 772

Why do administrators mostly use +a alongside +mx in SPF records? This is the example:

@              10800 IN TXT     "v=spf1 +a +mx -all"

Isn't it enough to only use +mx parameter e.g.:

@              10800 IN TXT     "v=spf1 +mx -all"

I thought MX record's task is to send email and not A record's. Can anyone explain the scenario why would anyone use +a then?

spf

4 Answers

  1. Best Answer

    Frankly because they have copied the configuration from some tutorial or example configuration without knowing the basic principles of SPF. Sometimes it's desired that e.g. both a web server in a and incoming mail exchanges mx are also used for sending mail, but not nearly always.

    It's better to favor mechanisms with less additional DNS queries: ip4/ip6 over a and a over mx (RFC 7208, 10.1.1) And even if, for easier administration (10.1.2), a mechanism is chosen, it's not always a mx or a, but e.g. a:relay.example.com.

    • 21

  2. The task of the hosts listed in MX records is to receive email, not necessarily to deliver email.
    It's entirely valid (and quite common, particularly for larger operations) to have an asymmetric setup where the hosts handling inbound and outbound email are not the same.

    That is, there is no guarantee that either mx (aka +mx) or a (aka +a) in SPF is a relevant for specifying which hosts are expected to deliver email.
    As an example, if you don't run your own mail servers, maybe something like v=spf1 include:spf.majoremailserviceprovider.example -all would be more relevant.

    To directly address the question about why the a mx combination in particular appears to be overrepresented in SPF records, my guess is that this situation boils down to all too many administrators adding SPF records without understanding the SPF concepts well enough to judge what to put in their policy, instead just copy-pasting some arbitrarily constructed examples.

    • 19

  3. I agree with the other answers that +a +mx is probably a cargo-culted anti-idiom.

    Regarding when you would use +a, the RFC document answers this in section 10.1.2:

    Publishing SPF records for individual hosts is also best practice. The host name is generally the identity used in the 5321.HELO/.EHLO command. In the case of messages with a null 5321.MailFrom, this is used as the domain for 5321.MailFrom SPF checks, in addition to being used in 5321.HELO/.EHLO-based SPF checks. The standard SPF record for an individual host that is involved in mail processing is:

    relay.example.com.   IN TXT  "v=spf1 a -all"

    For example, I publish such a record for my mail server mail.mydomain.org, for the benefit of verifiers that verify the HELO identity first. (Of course, I also publish the customary v=spf1 mx -all record at the mail domain mydomain.org itself.)

    • 4

  4. Could be an advantage in length - though this is very unlikely to be the real motivation.

    Consider that the TXT record can blow out in size to where a single UDP packet is too small. So the request is sent again in TCP and the reply is multiple TCP packets and the associated handshake setup time.

    By careful use of the A and MX requests, one could get two ~1500 byte UDP replies for the SPF record, one for the A and one for the MX, as well as the remaining ~1400 bytes for all the TXT records.

    This assumes you have enough authorised "things" in your SPF record to exceed 3000 bytes. Includes can also work around length restrictions but I'm hazy if they would each be a separate UDP request or a single TCP request session.

    • 0