mx — SPF Mechanism

The SPF mx mechanism authorises the IPs of your domain's MX records to send email. Learn when it helps and when it's risky.

Type
Mechanism
Syntax
mx[:<domain>][/prefix-length][//ipv6-prefix]
DNS Lookup
Yes — counts toward 10-lookup limit
Example
mx

💬 What This Mechanism Does

The "mx" mechanism passes if the sending IP matches any A/AAAA record for any of the domain's MX hosts. It's shorthand for "the servers that receive my email are also allowed to send it" — which is often true for traditional on-premise mail servers but rarely true for cloud services.

When to Use This

  • On-premise Exchange or Postfix setups where the same server sends and receives
  • Small domains where the single MX host is also the outbound relay

⚠️ Watch Out For

  • Counts as one DNS lookup for the MX query, plus one per MX host (up to 10 total).
  • Modern cloud email (Microsoft 365, Google Workspace) uses different IPs for inbound (MX) vs. outbound — "mx" will NOT authorise cloud outbound senders.
  • If you change your MX records, your SPF pass set changes silently.

📚 RFC References

RFC 7208 §5.4 — The "mx" Mechanism

🔗 Related SPF Elements

a
Mechanism
 ip4
Mechanism
 include
Mechanism

🔧 Validate Your SPF Record

Check whether your current SPF record is valid and covers all your senders.

SPF Checker → ← All SPF Syntax