What is the best practice for using IP addresses in SPF records?

Email marketer from Reddit suggests limiting the number of IP addresses listed directly in your SPF record and using CIDR notation where appropriate to reduce the number of entries and avoid exceeding lookup limits.

Email marketer from Stack Overflow explains that using 'include:' mechanisms is better for scalability and maintainability. If a third-party service changes their IP addresses, you don't need to update your SPF record, as their 'include:' record will reflect the changes.

Email marketer from EasyDMARC shares that using IP addresses can be useful for small setups, but as infrastructure grows, the 'include:' mechanism becomes more manageable. They also highlight potential maintenance overhead with IP addresses.

Email marketer from Mailjet recommends using the 'include:' mechanism for third-party services whenever possible, instead of directly listing their IP addresses, because it simplifies SPF record maintenance. It is also important to remember that too many lookups can cause SPF to fail.

Email marketer from Sendlayers notes that while directly listing IP addresses is simpler for smaller organizations, using the include mechanism to reference the SPF records of other domains is the best practice to use when you want to ensure deliverability.

Marketer from Email Geeks shares that the intent might not be to authorize the MX servers for their domain to send email and that it could be they only want to authorize the IP addresses to send outbound mail, and it'd be worth asking their intent as MX servers are often for inbound mail and not outbound.

Email marketer from EmailSecurityATP shares that SPF records have a limit of 10 DNS lookups. Including numerous IP addresses can lead to exceeding this limit, causing SPF failures. The use of 'include:' mechanisms is preferable for managing external services.

Email marketer from URIports talks about using SPF Flattening. To remove the complexity and overhead of DNS lookups, SPF flattening can be employed. This method resolves all includes and IPs into a single record, eliminating nested lookups and keeping the record concise.

Expert from Email Geeks explains that any marketing mail through an ESP should have its own subdomain for SPF even if the 5322.from is the bare domain.

Expert from Word to the Wise answers that if you have more than a handful of IP addresses, it’s generally better to use an 'include:' statement for a domain that lists the addresses, rather than listing them directly as SPF records have limits.

Expert from Spamresource.com mentions that its best practice to consider migrating to a system which does not use IP addresses directly, and that using include or domains that dynamically update IP addresses on a continual basis is much easier to maintain than fixed IP addresses.

Expert from Email Geeks explains that using IPs in SPF records is pretty normal and it does mean you don’t use a DNS lookup slot.

Documentation from Google Workspace Admin Help explains that the ip4: and ip6: mechanisms specify authorized IPv4 and IPv6 addresses. These mechanisms should be used sparingly and carefully due to SPF's DNS lookup limits.

Documentation from Microsoft Learn shares that while using IP addresses directly in SPF records is possible, it's generally better to use 'include:' mechanism referring to domain names instead as it provides more flexibility and avoids exceeding the SPF record's lookup limits, also noting the 10 DNS lookup limit.

Documentation from DMARC.org emphasizes the importance of staying within the SPF record's 10 DNS lookup limit and suggests using IP addresses cautiously and considering the 'include:' mechanism when possible.