Suped

Is '-all' required in included SPF records if the main record has it?

Summary

Experts, documentation, and marketers overwhelmingly agree that the presence of '-all' in included SPF records is not required if the main SPF record already contains it. The 'include' mechanism serves to authorize external domains, but the ultimate policy decision rests with the main domain's SPF record and its '-all' mechanism. This mechanism dictates how emails are treated if they don't match any other specified criteria, and policy settings are not transferred through includes.

Key findings

  • Main Record's Dominance: The main SPF record's '-all' mechanism is the authoritative source for policy enforcement.
  • Include for Authorization Only: The 'include' mechanism is solely for authorizing external domains, not for transferring or enforcing policy.
  • Policy Mechanism Isolation: The policy mechanisms within included records are irrelevant to the overall SPF evaluation; they do not affect the final outcome.

Key considerations

  • Proper Main Record Configuration: Ensure the main SPF record is meticulously configured with the desired policy and the appropriate '-all' or '~all' mechanism to achieve the intended outcome.
  • Potential for Confusion: While technically correct, the absence of '-all' in included SPF records may lead to confusion among IT personnel or others unfamiliar with SPF intricacies; carefully weigh this against the technical correctness of omitting it.
  • Testing and Validation: Thoroughly test SPF record changes, including those involving 'include' mechanisms, to ensure they function as expected and do not negatively impact email deliverability.

What email marketers say

7 marketer opinions

The consensus from email marketers is that the '-all' mechanism in included SPF records is not required if the main SPF record has it. The primary SPF record dictates the final policy decision, overriding any settings in the included records. The 'include' mechanism essentially delegates the SPF check to another domain, but the main domain's 'all' mechanism determines whether the email is authorized.

Key opinions

  • '-all' Irrelevance: The '-all' mechanism in included SPF records is mostly irrelevant; the main record controls the final outcome.
  • Policy Control: The primary SPF record's 'all' mechanism determines the ultimate policy if a message fails SPF checks.
  • Delegation, Not Policy: The 'include' mechanism delegates the SPF check to another domain, but the primary domain dictates the final result.

Key considerations

  • Main Record Focus: Ensure the main SPF record is correctly configured with the appropriate 'all' mechanism to enforce the desired policy.
  • Included Record Validation: While included records don't require '-all', they must still be valid SPF records to ensure proper delegation.
  • Record Complexity: While technically correct, omitting '-all' in included records can be confusing for some IT personnel; consider the potential for misinterpretation.

Marketer view

Email marketer from Mailhardener explains that using SPF includes allows referencing other SPF records, but the policy (defined by the 'all' mechanism) is determined by the main SPF record. Therefore, included records do not need their own 'all' mechanism.

31 Mar 2023 - Mailhardener

Marketer view

Email marketer from EasyDMARC shares that SPF 'include' statements call other domains to be included in your SPF record. The referenced domain then performs its own checks. The ultimate policy determination is based on the main domain's 'all' mechanism.

14 Aug 2024 - EasyDMARC

What the experts say

4 expert opinions

Experts agree that the presence of '-all' in included SPF records is not required when the main SPF record contains it. The main record's '-all' mechanism dictates the overall policy and how to handle messages that don't match any specified criteria. The 'include' mechanism delegates the authorization to the included record, but the policy enforcement remains with the originating domain. Policy mechanisms don't transfer through includes.

Key opinions

  • Main Record Dominance: The main SPF record's '-all' mechanism controls the final policy decision.
  • Include as Authorization: The 'include' mechanism only handles authorization, not policy enforcement.
  • No Transfer of Policy: Policy settings do not transfer from the included record to the main record.

Key considerations

  • Correct Main Record: Ensure the main SPF record is correctly configured with the intended policy using the '-all' or '~all' mechanism.
  • Clarity and Consistency: While not technically required, the absence of '-all' in included records may cause confusion. Consider the trade-off between technical accuracy and ease of understanding for administrators.

Expert view

Expert from Word to the Wise explains that SPF records are evaluated sequentially. When an include is encountered, the evaluation temporarily shifts to the included record. However, the overall policy enforcement (dictated by the '-all' or '~all' mechanism) remains the responsibility of the originating domain's SPF record. Thus, the presence of '-all' in included records is not required.

23 Nov 2024 - Word to the Wise

Expert view

Expert from Email Geeks explains that "-all" in SPF records is not inherently special but indicates how to treat the evaluation if it reaches that point. Including another SPF record means that if the included record passes, the main record passes. The final "-all" controls the response if nothing else matches in the main record, and there's no requirement for included SPF records to have it.

30 Jul 2024 - Email Geeks

What the documentation says

3 technical articles

Documentation from RFC Editor, dmarcian and Microsoft Learn clarify that when using the 'include' mechanism in SPF records, the determination of sender policy remains a function of the original domain's SPF record and its 'all' mechanism. The 'all' mechanism in the main record dictates the final result and policy if no other mechanisms match. Includes authorize external hosts but don't transfer policy.

Key findings

  • Policy with Main Record: The determination of sender policy remains with the original domain's SPF record and its 'all' mechanism.
  • All Mechanism Dictates: The 'all' mechanism in the main record dictates the final result and policy.
  • Include for Authorization: Includes authorize external hosts, but don't transfer policy.

Key considerations

  • Ensure Correct 'all' Mechanism: Make sure the main SPF record has the correct 'all' mechanism.
  • Understand 'include' Limitation: Realize that 'include' only authorizes and doesn't transfer policy from the included record.

Technical article

Documentation from RFC Editor explains that with the "include" mechanism, an administratively external set of hosts can be authorized, but determination of sender policy is still a function of the original domain's SPF record (as determined by the "all" mechanism in that record).

9 Oct 2024 - RFC Editor

Technical article

Documentation from Microsoft Learn explains that the main SPF record includes the final mechanism ('all') which dictates what happens if the message does not match any of the specified IP addresses or domains. Includes only pull in the authorization, not the policy.

4 Sep 2021 - Microsoft Learn

Start improving your email deliverability today

Sign up