[wahern]

Most of the mechanisms (a, ip4, ip6, mx, and ptr) effectively resolve to one or more IP addresses which are then matched against the sender IP address. The "mx" mechanism will query the MX records for the envelope (MAIL FROM) sender domain, query the A records for every MX record, and then try to match all those resolved IP addresses to the sender IP address. If one of the IP addresses matches, then the mechanism's action qualifier is applied, short-circuiting further resolution. As the default qualifier is "+" (pass), a match on "mx" (i.e. "+mx") means to accept the message.

If your MX hosts are the only permissible outbound hosts, and the inbound and outbound IP addresses are the same, then the "mx" mechanism is all you need. The very purpose of the "mx" mechanism and most others is to avoid having to hardcode IP addresses in your policy.

[marmot777]

Yes, but as a matter of syntax, don’t you have to specify the IP address? What is the mx refereeing to in your example?

V=spf1 ip4:198.51.100.123 ~all

I think the ptr mechanism’s deprecated.

Anyway, if you’re correct that a valid and complete spf record can be published without an IP address, IP address block, or included hosts, then I’ve learned something new today.

So you are saying that v=spf1 mx -all is a valid and complete spf record?