SPF glossary
What does the a mechanism do in an SPF record?

By Samuel Chenard · CEO & Co-Founder, Palisade · Reviewed July 15, 2026
The a mechanism authorizes the IP addresses in a domain's A (and AAAA) records — bare a means the current domain, so mail from the server your domain name points at passes SPF. It costs one DNS lookup, and it's only worth it when that machine actually sends mail.
a at a glance | |
|---|---|
| Tag | a (mechanism) |
| Valid values | a · a:<domain> · a/<cidr> · a:<domain>/<cidr> |
| Default | Bare a defaults to the current domain and matches its A/AAAA addresses exactly. |
| Where it goes | Between v=spf1 and the final all; terms are evaluated left to right, first match wins. |
How a works
The a mechanism matches when the sending IP appears in a domain's address records — A records for IPv4, AAAA for IPv6. Bare a means the current domain: if the record is on example.com, it authorizes whatever example.com resolves to. You can point it elsewhere with a:mail.example.com, and widen it with a CIDR suffix like a/24, which matches the whole network around each resolved address.
It costs one DNS lookup against the 10-lookup budget. That's cheap — but only worth paying when the machine behind the address record actually sends mail. The classic legitimate case is a web server that sends its own form notifications or password-reset emails.
The classic illegitimate case is the copy-pasted template. If your domain's A record points at a CDN or a shared web host, a authorizes infrastructure you don't control — on shared hosting, an IP that hundreds of other tenants can also send from.
Correct record vs common mistake
Correct
v=spf1 a include:_spf.google.com -allLegitimate when the server behind the domain's A record really sends mail — form notifications, password resets.
Common mistake
v=spf1 a mx include:_spf.google.com -allIf the A record points at a CDN or shared web host that never sends mail, the a term burns a lookup and authorizes someone else's shared IP. The same test applies to mx.
Generate your SPF record
Build a correct SPF record for your domain — add your senders, copy the TXT record. Free, no signup.
Who sends email for this domain?
Each service adds its documented include mechanism.
From your provider's docs, e.g. spf.example-esp.com — commas or spaces between multiple. Some services (Klaviyo, HubSpot, Mailchimp Transactional) authenticate through their own CNAME records instead of a shared include — check their DNS settings page.
How should receivers treat everyone else?
Your SPF record
0/10 DNS lookupsPublish as a TXT record at the domain root. One SPF record per domain — if one exists, merge into it instead of adding another.
yourdomain.com (or @)
v=spf1 ~all
Record type: TXT · ip4/ip6 mechanisms don't count against the 10-lookup limit.
After you publish
- Add the TXT record at your DNS host.
- Verify it with the free SPF checker.
- SPF alone doesn't stop spoofing — pair it with DKIM and a DMARC policy. Generate one with the DMARC record generator.
Troubleshooting a
| Issue | Likely cause | Fix |
|---|---|---|
| Form or notification mail from the web server failing SPF | The server sends from an IP that isn't in the domain's A record (NAT, outbound relay) | Read the connecting IP from a received header and authorize that address with ip4: instead |
| SPF results changed after a website migration | The A record moved to the new host, silently changing what a authorizes | Decide whether the new host sends mail at all; if not, remove a and list real senders explicitly |
| 'Too many DNS lookups' on a record with several a: terms | Each a: term costs one lookup against the budget of 10 | Replace stable servers with ip4:/ip6: terms — they cost zero lookups |
See this on your own domain
Enter your domain — the check runs instantly on the next page. Free, no signup.
Why it matters for MSPs
One templated a copied across 100+ client records means every tenant whose website sits on shared hosting is authorizing a shared IP that strangers send from — and every tenant behind a CDN is burning a lookup on infrastructure that never sends mail. Template terms need the same per-domain scrutiny as anything else; at fleet scale, cargo-cult is a policy.
Trusted by MSPs
“We increased our meetings booked by 21% and slept better at night knowing our emails are now secured”
Marc-André Campagna — CEO, gaiia (YC 2021)Read the case study →

































Enforce it — don't just monitor it
The question `a` really asks is “does this host send mail at all?” — and the DMARC reports answer it. Palisade shows which sources actually send for each client domain, giving you the evidence to keep `a` where it earns its lookup and drop it where it doesn't, on the way to `p=reject`.
Free 15-day trial · No credit card · Your own domain free forever (NFR)