Static IP on Cellular Failover: Complete DNS Setup for Email Deliverability

By Miscellaneous
Static IP on Cellular Failover: Complete DNS Setup for Email Deliverability

If your business relies on email for customer communication, order confirmations, or internal operations, a disruption to your primary internet connection can create a problem you might not immediately think about: your emails start landing in spam folders or getting rejected altogether.

The reason is simpler than it sounds. When your network fails over to a cellular backup connection, you are likely switching to a dynamic IP address, and that dynamic IP carries no email reputation. Receiving mail servers do not trust it. The result is that legitimate business email gets treated like spam.

A static IP address on your cellular failover connection solves this problem at the source. Combined with the right DNS configuration, it lets you maintain consistent email deliverability even while your primary connection is down. This post builds on our original 2023 guide and walks you through the full DNS setup, including SPF, DKIM, and DMARC records, for the most common DNS providers.

Why a Static IP Makes All the Difference

Every email your server sends carries the IP address of the connection it went out on. Recipient mail servers check that IP against several things: reputation databases, spam blacklists, and your own DNS records. When your office fails over to a cellular connection with a dynamic IP, a few things go wrong at once.

First, dynamic IP addresses from cellular carriers are frequently listed on IP reputation databases because they are shared across thousands of consumers, some of whom have sent spam. Second, your SPF record, which tells recipient servers which IPs are authorized to send email on your behalf, does not include a random dynamic IP. Third, with no consistent history on that IP, there is zero sender reputation to rely on.

A static IP from your cellular carrier solves all three issues. You control the address, you can add it to your SPF record, and over time it builds its own sending reputation that travels with your failover connection.

If you are looking for routers that support failover with static IP configurations from cellular carriers, we carry a full selection at 5Gstore. Contact our team at 5gstore.com/site/contact_us if you need help choosing the right hardware.

The Three DNS Records That Govern Email Authentication

Before getting into provider-specific steps, it helps to understand the three DNS record types you will be configuring and what each one does.

SPF (Sender Policy Framework) is a TXT record that lists every IP address and mail service authorized to send email from your domain. When your email goes out, the receiving server looks up your SPF record and checks whether the sending IP is on your approved list. If you fail SPF, the email is far more likely to be rejected or flagged. Adding your static cellular IP to your SPF record is the most critical step in this entire process.

DKIM (DomainKeys Identified Mail) is a cryptographic signature attached to every outgoing email. Your mail server signs each message with a private key, and a public key stored as a DNS TXT record lets receiving servers verify that the message was not altered in transit and genuinely came from your domain. DKIM does not depend on IP address, so it survives failover without changes, but it still needs to be configured correctly.

DMARC (Domain-based Message Authentication, Reporting, and Conformance) ties SPF and DKIM together and tells receiving servers what to do when a message fails either check. It also enables reporting, so you receive aggregate data about who is sending email using your domain name. Starting in February 2024, Google and Yahoo began requiring SPF, DKIM, and at least a basic DMARC policy for senders who send more than 5,000 messages per day. Microsoft followed with similar requirements for Outlook.com in 2025. Even for lower-volume senders, having all three configured is now considered baseline practice.

What Your SPF Record Needs to Include

Your SPF record will typically look something like this:

v=spf1 include:_spf.google.com ip4:203.0.113.45 -all

Breaking that down: v=spf1 identifies this as an SPF record. include:_spf.google.com authorizes Google Workspace to send on your behalf. ip4:203.0.113.45 is where you add your static cellular IP address. -all tells receiving servers to reject any email that does not match.

If you use a hosted email service like Microsoft 365, the include reference changes:

v=spf1 include:spf.protection.outlook.com ip4:YOUR.STATIC.IP.HERE -all

If you send through multiple services (your mail server, a marketing platform, a ticketing system), you can chain multiple include references. Keep in mind that SPF has a hard limit of 10 DNS lookups. If you exceed that limit, the record fails. Consolidate where you can.

Never create two SPF records for the same domain. Only one SPF TXT record is allowed at the root of your domain. If you need to add another service, edit the existing record rather than creating a new one.

Step-by-Step DNS Configuration by Provider

The record values themselves are the same regardless of which DNS provider you use. What differs is where you find the DNS settings and what the interface looks like. The instructions below cover the most common providers.

Cloudflare

Cloudflare is one of the most common DNS providers and also has built-in DMARC management tools.

Adding or editing your SPF record:

  1. Log in to the Cloudflare dashboard and select your account and domain.
  2. Go to DNS and then Records.
  3. Click Add record.
  4. Set Type to TXT.
  5. Set Name to @ (which represents your root domain).
  6. In the Content field, enter your SPF string (for example: v=spf1 include:_spf.google.com ip4:YOUR.STATIC.IP -all).
  7. Leave TTL on Auto and click Save.

If an SPF record already exists at @, click Edit on that record and add ip4:YOUR.STATIC.IP before the -all at the end. Do not create a second SPF record.

Adding a DKIM record:

Your email provider generates the DKIM TXT record value for you. The name will be something like google._domainkey or mail._domainkey depending on your provider.

  1. In DNS Records, click Add record.
  2. Set Type to TXT.
  3. Set Name to the selector your provider gave you (for example: google._domainkey).
  4. Paste the full TXT value from your email provider into the Content field.
  5. Save.

Adding a DMARC record:

Cloudflare also has a dedicated DMARC Management section under Email if you prefer a guided setup. To add it manually:

  1. Add record, Type = TXT.
  2. Name = _dmarc
  3. Content = v=DMARC1; p=none; rua=mailto:dmarc@yourdomain.com

Start with p=none so you can collect reports without affecting delivery. Once you have reviewed reports and confirmed all legitimate sources are passing, move to p=quarantine and eventually p=reject.

GoDaddy

  1. Log in to your GoDaddy account and go to My Products, then Domains.
  2. Select the domain you want to configure and click Manage DNS.
  3. To add or edit your SPF record, look for an existing TXT record at the @ host. If one exists, click the pencil/edit icon and add ip4:YOUR.STATIC.IP before the -all. If none exists, click Add and set Type to TXT, Host to @, and paste your full SPF string in the TXT Value field.
  4. For DKIM, click Add, Type = TXT, Host = your selector (e.g., google._domainkey), and paste the full DKIM value.
  5. For DMARC, click Add, Type = TXT, Host = _dmarc, Value = v=DMARC1; p=none; rua=mailto:dmarc@yourdomain.com.
  6. Set TTL to 1 hour and save each record.

GoDaddy may take a few minutes to apply changes in the interface. DNS propagation to the wider internet typically happens within a few hours.

Namecheap

  1. Log in to your Namecheap account and go to Domain List.
  2. Click Manage next to the domain you want to configure.
  3. Click the Advanced DNS tab.
  4. In the Host Records section, click Add New Record.
  5. For SPF: Type = TXT Record, Host = @, Value = your SPF string. Click the checkmark to save.
  6. For DKIM: Type = TXT Record, Host = your selector without the domain (for example, google._domainkey), Value = the full DKIM TXT value from your email provider.
  7. For DMARC: Type = TXT Record, Host = _dmarc, Value = v=DMARC1; p=none; rua=mailto:dmarc@yourdomain.com.

One important Namecheap note: do not include your domain name in the Host field. If you need a record at _dmarc.yourdomain.com, enter only _dmarc in the Host field. Namecheap appends the domain automatically.

Amazon Route 53

Route 53 is common for businesses running infrastructure on AWS.

  1. Log in to the AWS Console and navigate to Route 53.
  2. Click Hosted Zones and select your domain.
  3. Click Create record.
  4. For SPF: Record type = TXT, Record name = leave blank (for root) or enter @, Value = your full SPF string enclosed in quotation marks (Route 53 requires TXT values to be quoted). Click Create records.
  5. For DKIM: Record name = your selector (e.g., google._domainkey), Type = TXT, Value = the DKIM public key string from your email provider, in quotes.
  6. For DMARC: Record name = _dmarc, Type = TXT, Value = "v=DMARC1; p=none; rua=mailto:dmarc@yourdomain.com" in quotes.

Route 53 propagates changes quickly, often within minutes, because it uses Anycast DNS. However, recursive resolvers that have cached your old records may take up to the TTL duration to reflect changes.

Microsoft Azure DNS

If you are hosting DNS in Azure, the process is similar to Route 53.

  1. In the Azure portal, navigate to DNS Zones and select your domain.
  2. Click + Record set.
  3. For SPF: Name = @, Type = TXT, and add your SPF string as a value in the TXT Records section.
  4. For DKIM: Name = your selector (e.g., google._domainkey), Type = TXT, paste your DKIM value.
  5. For DMARC: Name = _dmarc, Type = TXT, value = v=DMARC1; p=none; rua=mailto:dmarc@yourdomain.com.

Verifying Your Records

After making DNS changes, wait at least 15-30 minutes before testing, and up to 48 hours for full propagation to all resolvers.

MXToolbox (mxtoolbox.com) is the most widely used tool for checking all three records. Enter your domain into the SPF, DKIM, and DMARC lookup tools and verify there are no errors.

Google Admin Toolbox (toolbox.googleapps.com/apps/checkmx/) can check your MX, SPF, DKIM, and DMARC records from Google’s perspective, which is especially useful if deliverability to Gmail is a concern.

Mail-tester.com lets you send a test email and receive a score that reflects your authentication setup, IP reputation, and other factors. A score of 9 or above is your target.

To test specifically that your static cellular IP is properly included in your SPF record, use an SPF checker like the one at MXToolbox and look for your static IP in the list of authorized sources.

Testing Failover Scenarios

Configuring the records is half the work. The other half is confirming that email delivery holds up when failover actually happens.

Set up a test by deliberately disconnecting your primary internet connection or shifting your router into failover mode if it supports manual simulation. Then send a test email from your mail server to an external account on Gmail, Outlook, and Yahoo. Check not just whether the email arrives, but whether it lands in the inbox or spam folder.

Many cellular routers from Peplink, Cradlepoint, and Teltonika include failover simulation modes in their admin interfaces. If yours does not, disconnecting your WAN cable is a reliable way to trigger a failover test. Once your cellular link is active, confirm in your router’s status page that the static IP address is the one assigned to the WAN interface. That is the IP your outbound email will carry.

If emails go to spam during failover, the most common culprits are an SPF record that does not include the static IP, a DMARC policy that is set too aggressively before your records are fully working, or a cellular IP that appears on a shared blacklist. Run each through MXToolbox and address issues one at a time.

5Gstore Take

A static IP on your cellular failover connection is not just a networking convenience. It is a business continuity requirement for any organization that depends on email. The SPF, DKIM, and DMARC configuration steps above are a one-time investment that pays dividends every time your primary connection goes down.

If you need help selecting a cellular router with static IP support from a carrier, or if you are evaluating failover hardware for your business, our team is ready to help. Contact us at 5gstore.com/site/contact_us and we will match you with the right equipment and data plan for your situation.

Frequently Asked Questions

Do I need a static IP if I only use cellular as a backup?

Yes, especially if email runs through your internet connection rather than a dedicated cloud service. When failover occurs, your outbound email will carry whatever IP your cellular connection assigns. If it is dynamic, email deliverability is unpredictable. A static IP ensures your SPF record remains valid during any failover event.

Can I just use a cloud email service to avoid this problem?

Cloud services like Google Workspace and Microsoft 365 route email through their own infrastructure, so your office’s internet IP is not the sending IP. If all your email goes through one of those services, failover IP changes are less of a concern. However, SPF, DKIM, and DMARC are still required for those services, and any on-premise mail server or application that sends email directly needs the static IP approach described here.

How long do DNS changes take to propagate?

Most changes are visible to major resolvers within 30 minutes to a few hours. Full global propagation can take up to 48 hours in rare cases where TTL values are long. Set your TTL to 3600 seconds (1 hour) or lower if you anticipate needing to make future adjustments quickly.

What is the difference between p=none, p=quarantine, and p=reject in DMARC?

With p=none, failing messages are delivered normally but you receive reports. With p=quarantine, failing messages go to the spam folder. With p=reject, failing messages are refused by the recipient server outright. Always start with p=none, analyze your reports for 30 to 60 days, and only move to stricter enforcement once you are confident all legitimate sending sources pass SPF or DKIM alignment.

Which cellular carriers offer static IP for business plans?

Verizon, AT&T, and T-Mobile all offer static IP add-ons for business data plans. The availability and pricing vary by plan tier and device. Our team at 5Gstore can advise on which carriers and plans include static IP support for the hardware you are using.

Can I have multiple static IPs in my SPF record?

Yes. You can list multiple ip4: entries for IPv4 addresses or ip6: entries for IPv6. Each one should be its own separate entry in the record: v=spf1 ip4:203.0.113.10 ip4:198.51.100.25 include:_spf.google.com -all. Just watch your total DNS lookup count and stay under the limit of 10.


Related Posts:

About the Author

Michael Ginsberg is the founder of 5Gstore.com, a trusted source for cellular routers and failover networking solutions since 2005. With a background in software and networking dating back to 1988, he writes about cellular connectivity, IoT infrastructure, network security, and fleet management. Connect with Michael on LinkedIn or reach the 5Gstore team through our contact page.

Related posts:

  1. Should You Use Google (8.8.8.8) or Cloudflare (1.1.1.1) DNS on Your Network
  2. Protecting Against DNS Vulnerabilities: Strategies and Best Practices
  3. DNS: Navigating the Internet’s Address Book
  4. Why having a Static IP Address on your cellular failover improves email deliverability
, ,