Experts, documentation, and marketers overwhelmingly agree that the presence of '-all' in included SPF records is not required if the main SPF record already contains it. The 'include' mechanism serves to authorize external domains, but the ultimate policy decision rests with the main domain's SPF record and its '-all' mechanism. This mechanism dictates how emails are treated if they don't match any other specified criteria, and policy settings are not transferred through includes.
7 marketer opinions
The consensus from email marketers is that the '-all' mechanism in included SPF records is not required if the main SPF record has it. The primary SPF record dictates the final policy decision, overriding any settings in the included records. The 'include' mechanism essentially delegates the SPF check to another domain, but the main domain's 'all' mechanism determines whether the email is authorized.
Marketer view
Email marketer from Mailhardener explains that using SPF includes allows referencing other SPF records, but the policy (defined by the 'all' mechanism) is determined by the main SPF record. Therefore, included records do not need their own 'all' mechanism.
31 Mar 2023 - Mailhardener
Marketer view
Email marketer from EasyDMARC shares that SPF 'include' statements call other domains to be included in your SPF record. The referenced domain then performs its own checks. The ultimate policy determination is based on the main domain's 'all' mechanism.
14 Aug 2024 - EasyDMARC
4 expert opinions
Experts agree that the presence of '-all' in included SPF records is not required when the main SPF record contains it. The main record's '-all' mechanism dictates the overall policy and how to handle messages that don't match any specified criteria. The 'include' mechanism delegates the authorization to the included record, but the policy enforcement remains with the originating domain. Policy mechanisms don't transfer through includes.
Expert view
Expert from Word to the Wise explains that SPF records are evaluated sequentially. When an include is encountered, the evaluation temporarily shifts to the included record. However, the overall policy enforcement (dictated by the '-all' or '~all' mechanism) remains the responsibility of the originating domain's SPF record. Thus, the presence of '-all' in included records is not required.
23 Nov 2024 - Word to the Wise
Expert view
Expert from Email Geeks explains that "-all" in SPF records is not inherently special but indicates how to treat the evaluation if it reaches that point. Including another SPF record means that if the included record passes, the main record passes. The final "-all" controls the response if nothing else matches in the main record, and there's no requirement for included SPF records to have it.
30 Jul 2024 - Email Geeks
3 technical articles
Documentation from RFC Editor, dmarcian and Microsoft Learn clarify that when using the 'include' mechanism in SPF records, the determination of sender policy remains a function of the original domain's SPF record and its 'all' mechanism. The 'all' mechanism in the main record dictates the final result and policy if no other mechanisms match. Includes authorize external hosts but don't transfer policy.
Technical article
Documentation from RFC Editor explains that with the "include" mechanism, an administratively external set of hosts can be authorized, but determination of sender policy is still a function of the original domain's SPF record (as determined by the "all" mechanism in that record).
9 Oct 2024 - RFC Editor
Technical article
Documentation from Microsoft Learn explains that the main SPF record includes the final mechanism ('all') which dictates what happens if the message does not match any of the specified IP addresses or domains. Includes only pull in the authorization, not the policy.
4 Sep 2021 - Microsoft Learn
Can a sender modify SPF records to alter SPF checking behavior?
How can I optimize my SPF record to stay within the lookup limit when using multiple email sending services?
How complex is the SPF spec for building an SPF checking library?
How do I fix the MXtoolbox SPF record DNS lookup limit exceeded error?
How do I properly set up SPF and DKIM records for email marketing, including handling multiple SPF records, IP ranges, bounce capturing, and Google Postmaster Tools verification?
How do I set up an SPF record when using multiple email sending services?