mx: SPF Mechanism

The SPF mx mechanism authorises the IPs of your domain's MX records to send email. Learn when it helps and when it's risky.

Type
Mechanism
Syntax
mx[:<domain>][/prefix-length][//ipv6-prefix]
DNS Lookup
Yes (counts toward 10-lookup limit)
Example
mx

💬 What This Mechanism Does

The "mx" mechanism passes if the sending IP matches any A/AAAA record for any of the domain's MX hosts. It's shorthand for "the servers that receive my email are also allowed to send it", which is often true for traditional on-premise mail servers but rarely true for cloud services.

When to Use This

  • On-premise Exchange or Postfix setups where the same server sends and receives
  • Small domains where the single MX host is also the outbound relay

⚠️ Watch Out For

  • Counts as one DNS lookup for the MX query, plus one per MX host (up to 10 total).
  • Modern cloud email (Microsoft 365, Google Workspace) uses different IPs for inbound (MX) vs. outbound. "mx" will NOT authorise cloud outbound senders.
  • If you change your MX records, your SPF pass set changes silently.

📚 RFC References

RFC 7208 §5.4: The "mx" Mechanism

🔗 Related SPF Elements

a
Mechanism
 ip4
Mechanism
 include
Mechanism

🔧 Validate Your SPF Record

Check whether your current SPF record is valid and covers all your senders.

SPF Checker → ← All SPF Syntax