For SPF records do 'a' and 'mx' achieve the same result in many cases?

Question

Example DNS Records:

Type: TXT
Hostname: example.com
Value: returns v=spf1 a ~all

Type: A
Hostname: mail.example.com
Value: 1.1.1.1

Type: AAAA
Hostname: mail.example.com
Value: 1000:1:1:1:1:1:0001

Type: MX
Hostname: example.com
Value: mail.example.com

In the example above the SPF record uses the a mechanism. If I understand SPF correctly this means that the mail server will let through mail that comes from the current domain. In this case example.com.

But if I had used mx the mail server would let mail through that comes from any domain with an MX record on this server.

So for a basic setup like this a and mx achieve the same result.

Do I understand that correctly?

Answer 1

No, your interpretation of the spf record is wrong. a does not mean „complete domain“ but „any a- type record of domain“. In your given example only mail from the only given a-record „mail.example.com“ would be acdepted.

If there were additional entries like:

Type: A
Hostname: example.com
Value: 1.1.1.2

Type: A
Hostname: www.example.com
Value: 1.1.1.3

Type: A
Hostname: www2.example.com
Value: 1.1.1.4

Then mails from example.com (the host, not the domain), www.example.com and www2.example.com would be accepted as well whereas v=spf1 mx would only allow mail from mail.example.com as the only mx record.

The answer is finished here, but I think -from your other question- that you might need some basics in DNS to really understand whats going on.

The internet (and every private network) does not need even a single hostname to work properly. All it needs is addresses to find each node within it. Unfortunately humans don‘t like numbers like 172.217.23.163 or 10101100110110010001011110100011, as they are very hard to remember. Thats (one reason) why we give names to numbers, e.g. www.google.de (yes the numbers represent one ip assigned to that hostname).

Computers don‘t know what to do with names, they need addresses. That is what DNS was made for: translate human names to addresses that networks can use.

An a record is one entry in the translation table. It assigns a name (mail.example.com) to an address (1.1.1.1).

In addition here are other entries with special functions: If I want to know, where I can send all my mails for something@example.com then I check the entry of type mx for domain example.com (everything behind the @- sign). And I find an entry that can either directly tell me where to send:

Type: MX
Hostname: example.com
Value: 1.1.1.1

Or it tells me a name to lookup:

Type: MX
Hostname: example.com
Value: mail.example.com

You might already see, where the second one leads us: this is not a valid address... we need to look that up in the a- records to be able to address it.

This probably also answers your question from another comment: why hostname „example.com“: because that is what we look for: the mx entry for example.com. If it was Hostname: mail.example.com then we would lookup the mail exchanger for the subdomain mail.example.com (all mail addresses like someaddress@mail.example.com), and that might be something totally different...