What are some examples of common but unusual SPF and MX records?

Summary

Unusual SPF and MX record configurations include complex SPF records exceeding DNS lookup limits, the presence of `MX localhost` or `mx .` (with specific implications for mail acceptance), the flawed inclusion of `localhost` due to header misinterpretations, and the misuse of the `ptr` mechanism. Multiple SPF records and missing `-all` mechanisms also pose issues. Furthermore, SPF void lookups, along with the use of `v=spf1 -all`, reflect specific use cases or misconfigurations affecting email delivery.

Key findings

  • SPF Complexity Issues: Complex SPF records with excessive `include:` mechanisms can exceed DNS lookup limits, causing SPF failures.
  • MX Record Oddities: `MX localhost` is acceptable, indicating no mail acceptance, and `mx .` is also acceptable but may have specific implications.
  • Localhost Misconceptions: Incorrect inclusion of `localhost` in SPF, stems from misunderstanding received headers.
  • Multiple SPF Records (Invalid): Having more than one SPF record per domain is invalid, leading to unpredictable behavior.
  • PTR Mechanism Fragility: The `ptr` mechanism is fragile and should be avoided.
  • Missing `-all` Mechanism: The absence of the `-all` mechanism in an SPF record leads to accepting mail from all IPs.
  • SPF Void Lookups: SPF void lookups, caused by nonexistent domains, waste resources and might cause SPF failures.
  • Disabling Email Sending: An SPF record with `v=spf1 -all` means a domain will not originate any emails.

Key considerations

  • Managing DNS Lookups: Carefully manage DNS lookups to stay within the SPF limit.
  • Understanding MX Records: Fully understand the meaning of `MX localhost` and `mx .`.
  • Correcting Misconceptions: Avoid adding `localhost` in SPF records based on header interpretations alone.
  • SPF Record Validation: Ensure only a single valid SPF record exists per domain.
  • Avoiding PTR: Avoid using the `ptr` mechanism due to its limitations.
  • Proper `-all` Usage: Use the `-all` mechanism correctly at the end of the SPF record to properly block email.
  • Preventing SPF Void Lookups: Ensure that SPF records query existing domains only.
  • Intended Use of v=spf1 -all: Ensure this configuration is used purposefully only when a domain should not send emails.

What email marketers say
8Marketer opinions

Various unusual SPF and MX record configurations can impact email deliverability. These include overly complex SPF records exceeding DNS lookup limits, including 'localhost' inappropriately, using the 'ptr' mechanism, incorrect configurations such as multiple SPF records, and empty MX records which prevent email reception. These issues often stem from misunderstandings of the specifications or misapplied troubleshooting efforts.

Key opinions

  • Complex SPF Records: Overly complex SPF records with numerous `include:` mechanisms can exceed the 10 DNS lookup limit, causing SPF failures.
  • Localhost Misuse: Including `localhost` (127.0.0.1) in SPF records or MX records pointing to localhost is generally incorrect for production environments.
  • Invalid Configurations: Having multiple SPF records for a domain violates the SPF specification and leads to unpredictable results.
  • Empty MX Records: An empty MX record indicates that a domain does not accept email, which is uncommon.
  • PTR Mechanism Issues: The 'ptr' mechanism is fragile, slow, and can give wrong results. Its use should be avoided.

Key considerations

  • DNS Lookup Limits: Carefully manage the number of DNS lookups within an SPF record to stay within the limit of 10.
  • Environment Awareness: Distinguish between development/test and production environments when configuring MX records and avoid using development configurations in production.
  • SPF Record Validation: Regularly validate SPF records to ensure they adhere to the specification and function as intended. Having multiple SPF records is invalid.
  • Thorough Testing: Test all email configurations after changes to ensure email deliverability isn't negatively impacted.
  • DNS Knowledge: Ensure that IT teams have a solid understanding of SPF and MX record configurations.
Marketer view

Email marketer from Super User explains that an MX record pointing to `localhost` (127.0.0.1) indicates that the domain only accepts email from the local server. It's sometimes used on development or test environments, but it's unusual in production.

June 2021 - Super User
Marketer view

Marketer from Email Geeks shares an example of a `v=spf1` record including multiple includes and ip4 addresses: `v=spf1 include:<http://registrarmail.net|registrarmail.net> include:<http://sparkpostmail.com|sparkpostmail.com> ip4:10.10.0.0/19 ip4:127.0.0.1 ...`

January 2022 - Email Geeks

What the experts say
4Expert opinions

Several unusual SPF and MX record configurations exist. `MX localhost` is an acceptable configuration indicating a domain doesn't accept mail. `mx .` is also acceptable. SPF void lookups, caused by querying nonexistent domains, waste time and can cause failures. The `-all` mechanism should be at the end of SPF records; its absence means the receiver will accept mail from any IP address.

Key opinions

  • MX Localhost: `MX localhost` indicates a domain doesn't accept mail.
  • MX Dot: `mx .` is also an acceptable MX record.
  • SPF Void Lookups: SPF void lookups occur when querying nonexistent domains, wasting resources and potentially causing SPF failures.
  • Missing -all Mechanism: Absence of the `-all` mechanism in an SPF record means the receiver will accept mail from any IP address.

Key considerations

  • Understand MX Configurations: Properly understand the implications of using `MX localhost` and `mx .`.
  • Prevent SPF Void Lookups: Ensure SPF records query existing domains to avoid void lookups.
  • Correct -all Placement: Always place the `-all` mechanism correctly at the end of the SPF record to enforce intended policy.
Expert view

Expert from Email Geeks shares that `mx .` is also acceptable.

March 2023 - Email Geeks
Expert view

Expert from Email Geeks explains that `MX localhost` is common and acceptable, indicating the domain does not accept mail.

July 2021 - Email Geeks

What the documentation says
3Technical articles

SPF records, as detailed by Microsoft, typically start with `v=spf1`, specify authorized sending sources using mechanisms like `ip4:` or `include:`, and conclude with a qualifier such as `-all` (fail) or `~all` (softfail). RFC 7208 clarifies that the `mx` mechanism triggers resolution of MX records and subsequent A record lookups to match client IP addresses. Google's documentation points out that `v=spf1 -all` indicates a domain shouldn't send emails, often used for reserved domains.

Key findings

  • Basic SPF Structure: SPF records include version, mechanisms, and qualifiers.
  • MX Mechanism Processing: The `mx` mechanism in SPF checks involves resolving MX records and performing A record lookups.
  • Disabling Outbound Email: The `v=spf1 -all` setting indicates a domain should not send emails.

Key considerations

  • Understand SPF Syntax: Properly understand the different components and syntax of SPF records.
  • MX Record Resolution: Be aware of how SPF checks handle MX records and related lookups.
  • Using -all Appropriately: Understand the implications of using `v=spf1 -all` for domains that should not send emails.
Technical article

Documentation from RFC 7208 specifies that when an SPF check encounters an `mx` mechanism, it should resolve the MX records for the specified domain and then perform an A record lookup on each resulting hostname to determine if any of the IP addresses match the client's IP address.

March 2022 - RFC 7208
Technical article

Documentation from Google Workspace Admin Help mentions that an SPF record with `v=spf1 -all` indicates that no mail should originate from that domain. It's commonly used when a domain is reserved for future use but should not send emails, or it's used only for receiving emails.

November 2024 - Google Workspace Admin Help