Summary
SPF redirects offer simplified SPF record management by delegating authority to another domain, aiding in scenarios with shared sending infrastructure and easing administrative burdens. However, the 10 DNS lookup limit, to which redirects contribute, is a critical concern, potentially leading to authentication failures if exceeded. Documentation and experts advise caution, stressing the importance of valid and up-to-date SPF records on the redirected domain, minimizing chained redirects, and using 'include' when appropriate. Proper initial configuration, regular audits, and monitoring of SPF authentication results are essential. It's also highlighted that 'redirect' differs from 'include' and 'CNAME,' influencing SPF resolution differently, and that redirect targets should be controlled domains with carefully configured SPF records. Combining SPF with DKIM is also recommended for optimal email deliverability.
Key findings
- Simplified Management: SPF redirects simplify management by delegating SPF records.
- DNS Lookup Limit: Redirects count towards the 10 DNS lookup limit, causing potential authentication issues.
- Target Domain Importance: A valid SPF record on the redirected domain is critical.
- Redirection Differences: 'Redirect' differs significantly from 'include' and 'CNAME'.
Key considerations
- Target Domain Validation: Ensure the redirected domain has a valid SPF record.
- Minimize Chaining: Reduce chained redirects to avoid the DNS lookup limit.
- Include vs. Redirect: Consider using 'include' over 'redirect' where applicable.
- Limit Awareness: Be mindful of the 10 DNS lookup limit.
- Regular Monitoring: Regularly monitor SPF authentication results.
- DMARC: Combine SPF with DKIM for strong deliverability, and DMARC compliance.
- Controlled Domains: Only redirect to domains you control.
- Proper Syntax: Ensure your SPF syntax is valid.
What email marketers say
12 marketer opinions
SPF redirects can simplify SPF record management by delegating it to another domain, especially useful when multiple domains share infrastructure. However, they introduce complexity and potential deliverability issues. A key concern is the DNS lookup limit of 10, which redirects contribute to. Best practices include ensuring the redirected domain has a valid and up-to-date SPF record, minimizing chained redirects, and using 'include' instead when appropriate. Monitoring SPF authentication results after implementing redirects is crucial. Proper initial setup and regular auditing of SPF records are recommended for maintaining optimal deliverability.
Key opinions
- Management Simplification: SPF redirects allow for easier management of SPF records when multiple domains use the same mail servers.
- DNS Lookup Limit: SPF redirects count towards the 10 DNS lookup limit, which can cause authentication failures if exceeded.
- Authentication Delegation: SPF redirects delegate SPF evaluation to another domain.
- Deliverability Impact: Misconfigured SPF records, particularly with redirects, can negatively impact email deliverability.
Key considerations
- Valid Redirect Target: Ensure the redirected domain has a valid and up-to-date SPF record.
- Minimize Chaining: Minimize chained SPF redirects to avoid exceeding the DNS lookup limit.
- Use 'Include' When Possible: Consider using 'include' instead of 'redirect' when incorporating other domains' SPF records.
- Monitor Results: Monitor SPF authentication results regularly after implementing redirects.
- DNS Lookup Count: Ensure the DNS lookup count is under 10, including SPF redirects, to ensure deliverability.
- Control of Domain: Ensure you control the redirected domain, and are able to control the SPF records.
- DMARC Compliance: Ensure SPF and DKIM are properly aligned to DMARC to assist with deliverability.
Marketer view
Email marketer from EasyDMARC shares that SPF redirects, using the 'redirect=' mechanism, allow a domain to delegate its SPF record to another domain. This is useful when multiple domains use the same mail servers. However, EasyDMARC recommends being cautious as excessive redirects can cause SPF validation to fail due to DNS lookup limits. They advise monitoring SPF authentication results after implementing redirects.
23 Dec 2022 - EasyDMARC
Marketer view
Email marketer from Sendinblue highlights that both SPF and DKIM are crucial for email authentication and deliverability. They recommend implementing both SPF and DKIM, and monitoring their performance regularly. SPF records should be checked for accuracy and compliance with best practices, including avoiding excessive includes and redirects.
7 Aug 2021 - Sendinblue
What the experts say
4 expert opinions
Experts agree that SPF record redirects offer a flexible and appropriate alternative to CNAME records for managing outbound mail IPs without interfering with other domain records. However, they emphasize that 'redirect' is distinct from 'include' and 'CNAME', affecting the SPF resolver's internal state differently. A critical consideration is that redirects count towards the SPF DNS lookup limit of 10, necessitating careful planning to avoid authentication failures.
Key opinions
- Alternative to CNAME: SPF redirects provide a flexible alternative to CNAME records for managing outbound mail IPs.
- Distinct from Include/CNAME: 'Redirect' operates differently from 'include' and 'CNAME' in terms of SPF resolution.
- DNS Lookup Count: SPF redirects contribute to the total DNS lookup count, which has a limit of 10.
Key considerations
- DNS Limit Awareness: Carefully consider the DNS lookup limit when using SPF redirects.
- Appropriate Use: Understand when a redirect is more appropriate than an include, but typically include is the prefered way.
- Internal Resolver State: Consider how redirect changes the SPF resolver's internal state.
Expert view
Expert from Email Geeks explains that SPF record redirects allow the referenced domain to manage IPs for outbound mail without using a CNAME, which can interfere with other records on the domain.
2 May 2022 - Email Geeks
Expert view
Expert from Word to the Wise explains that SPF redirects are indeed counted toward the total DNS lookup count limit of 10. This needs to be carefully considered as part of any SPF record deployment.
10 Dec 2022 - Word to the Wise
What the documentation says
4 technical articles
Documentation emphasizes that while SPF redirects are supported, caution is advised. They delegate SPF evaluation to another domain, making the target domain's SPF record critical. Redirects count towards the 10 DNS lookup limit, potentially causing 'PermError' and deliverability issues if exceeded. Correct syntax, thorough testing, and validation are essential for proper functionality.
Key findings
- Delegated Evaluation: SPF redirects delegate SPF evaluation to another domain.
- DNS Lookup Impact: Redirects count towards the 10 DNS lookup limit.
- Potential Authentication Failures: Misconfiguration or overuse can lead to authentication failures.
Key considerations
- Target Validation: Ensure the target domain has a valid and correctly configured SPF record.
- Lookup Limit Awareness: Be mindful of the DNS lookup limit and the impact of redirects.
- Testing and Validation: Thoroughly test and validate SPF records with redirects.
- Syntax: Ensure you use the correct syntax when specifying the SPF record.
Technical article
Documentation from Microsoft highlights the 10 DNS lookup limit within an SPF record evaluation. Redirects count towards this limit. If the evaluation exceeds 10 DNS lookups, SPF will return a 'PermError' which might cause email deliverability issues. Careful management of SPF records, especially with redirects, is crucial.
25 Dec 2024 - Microsoft Learn
Technical article
Documentation from RFC 7208 specifies that the 'redirect' mechanism causes SPF evaluation to restart using the SPF record of the domain specified in the redirect. The result of the evaluation of the redirected domain becomes the result of the current SPF evaluation. It notes that redirects count towards the DNS lookup limit and can impact performance if overused or chained excessively.
25 Mar 2025 - RFC Editor
How can I optimize my SPF record to stay within the lookup limit when using multiple email sending services?
How do I properly set up SPF and DKIM records for email marketing, including handling multiple SPF records, IP ranges, bounce capturing, and Google Postmaster Tools verification?
How do I set up an SPF record when using multiple email sending services?
How important is the 10 DNS lookups limit on SPF records?
How should I combine SPF records and what domain should I use with SendinBlue?
