SPF glossary

What does the a mechanism do in an SPF record?

Samuel Chenard

By Samuel Chenard · CEO & Co-Founder, Palisade · Reviewed July 15, 2026

The a mechanism authorizes the IP addresses in a domain's A (and AAAA) records — bare a means the current domain, so mail from the server your domain name points at passes SPF. It costs one DNS lookup, and it's only worth it when that machine actually sends mail.

a at a glance
Taga (mechanism)
Valid valuesa · a:<domain> · a/<cidr> · a:<domain>/<cidr>
DefaultBare a defaults to the current domain and matches its A/AAAA addresses exactly.
Where it goesBetween v=spf1 and the final all; terms are evaluated left to right, first match wins.

How a works

The a mechanism matches when the sending IP appears in a domain's address records — A records for IPv4, AAAA for IPv6. Bare a means the current domain: if the record is on example.com, it authorizes whatever example.com resolves to. You can point it elsewhere with a:mail.example.com, and widen it with a CIDR suffix like a/24, which matches the whole network around each resolved address.

It costs one DNS lookup against the 10-lookup budget. That's cheap — but only worth paying when the machine behind the address record actually sends mail. The classic legitimate case is a web server that sends its own form notifications or password-reset emails.

The classic illegitimate case is the copy-pasted template. If your domain's A record points at a CDN or a shared web host, a authorizes infrastructure you don't control — on shared hosting, an IP that hundreds of other tenants can also send from.

Correct record vs common mistake

Correct

v=spf1 a include:_spf.google.com -all

Legitimate when the server behind the domain's A record really sends mail — form notifications, password resets.

Common mistake

v=spf1 a mx include:_spf.google.com -all

If the A record points at a CDN or shared web host that never sends mail, the a term burns a lookup and authorizes someone else's shared IP. The same test applies to mx.

Generate your SPF record

Build a correct SPF record for your domain — add your senders, copy the TXT record. Free, no signup.

Who sends email for this domain?

Each service adds its documented include mechanism.

From your provider's docs, e.g. spf.example-esp.com — commas or spaces between multiple. Some services (Klaviyo, HubSpot, Mailchimp Transactional) authenticate through their own CNAME records instead of a shared include — check their DNS settings page.

How should receivers treat everyone else?

Your SPF record

0/10 DNS lookups

Publish as a TXT record at the domain root. One SPF record per domain — if one exists, merge into it instead of adding another.

Host / Name

yourdomain.com (or @)

Value (TXT)

v=spf1 ~all

Record type: TXT · ip4/ip6 mechanisms don't count against the 10-lookup limit.

Nothing is authorized yet — this record would tell receivers that no server may send for your domain. Select your email providers above (or tick the parked-domain option if that's intended).

After you publish

  1. Add the TXT record at your DNS host.
  2. Verify it with the free SPF checker.
  3. SPF alone doesn't stop spoofing — pair it with DKIM and a DMARC policy. Generate one with the DMARC record generator.

Troubleshooting a

IssueLikely causeFix
Form or notification mail from the web server failing SPFThe server sends from an IP that isn't in the domain's A record (NAT, outbound relay)Read the connecting IP from a received header and authorize that address with ip4: instead
SPF results changed after a website migrationThe A record moved to the new host, silently changing what a authorizesDecide whether the new host sends mail at all; if not, remove a and list real senders explicitly
'Too many DNS lookups' on a record with several a: termsEach a: term costs one lookup against the budget of 10Replace stable servers with ip4:/ip6: terms — they cost zero lookups

See this on your own domain

Enter your domain — the check runs instantly on the next page. Free, no signup.

Why it matters for MSPs

One templated a copied across 100+ client records means every tenant whose website sits on shared hosting is authorizing a shared IP that strangers send from — and every tenant behind a CDN is burning a lookup on infrastructure that never sends mail. Template terms need the same per-domain scrutiny as anything else; at fleet scale, cargo-cult is a policy.

Trusted by MSPs

We increased our meetings booked by 21% and slept better at night knowing our emails are now secured
Marc-André CampagnaMarc-André Campagna CEO, gaiia (YC 2021)Read the case study →
Partner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner Logo

Enforce it — don't just monitor it

The question `a` really asks is “does this host send mail at all?” — and the DMARC reports answer it. Palisade shows which sources actually send for each client domain, giving you the evidence to keep `a` where it earns its lookup and drop it where it doesn't, on the way to `p=reject`.

Free 15-day trial · No credit card · Your own domain free forever (NFR)

Frequently asked questions

a authorizes the IPs behind the domain's address (A/AAAA) records — usually the web server. mx authorizes the hosts in its MX records — the inbound mail servers. Both cost lookups, and both are frequently included without a reason.

Yes — when the check runs over IPv6, receivers use the domain's AAAA records. A dual-stack host is covered on both families.

A CIDR suffix: instead of matching each resolved address exactly, it matches the whole /24 network around it. Use it sparingly — wider ranges authorize more than you may intend.

No. If the web server never sends mail, a authorizes a machine that shouldn't send and spends a DNS lookup doing it. List your real senders with include or ip4 instead.

Related terms

What is SPF? Sender Policy Framework explained