The short answer is yes, an SPF record can technically contain an include mechanism that points back to its own domain. However, you should absolutely never do this. Doing so creates a recursive loop that will cause your SPF authentication to fail, severely damaging your email deliverability.
First, let's quickly recap what an SPF record is. It's a type of TXT record you publish in your domain's DNS settings. As Kinsta explains, it contains a list of servers authorized to send email on behalf of your domain. The include mechanism is a way to incorporate another domain's SPF record into your own. This is commonly used to authorize third-party sending services.
Understanding SPF processing limits and recursive loops
The Sender Policy Framework has a built-in protection against excessive complexity and potential denial-of-service attacks: a limit of 10 DNS lookups per SPF check. Each time a receiving mail server has to look up a domain name within your SPF record (which happens for mechanisms like a, mx, and, most importantly, include), it counts as one lookup.
When you create an SPF record like v=spf1 include:example.com -all for the domain example.com, you create an infinite loop. Here’s what happens:
- A mail server receives an email from user@example.com.
- It performs a DNS lookup to find the SPF record for example.com.
- It finds v=spf1 include:example.com -all.
- To process the include:example.com mechanism, it must look up the SPF record for example.com again.
- This creates a never-ending loop. The server will detect this recursion and immediately stop processing.
What happens when you have a recursive SPF record?
A self-referencing SPF record doesn't just fail quietly. It results in what's known as an SPF "PermError," or Permanent Error. This specific error signals to receiving mail servers that your domain's SPF record is misconfigured and cannot be evaluated correctly.
The consequences of a PermError are severe. Most mail providers, such as Gmail and Microsoft 365, will treat an email that results in a PermError with high suspicion. They may reject the email outright with a bounce message, or they might deliver it directly to the recipient's spam folder. In either case, your legitimate emails will fail to reach the inbox, and your sender reputation will be damaged.
How to correctly use the SPF include mechanism
The include mechanism is a powerful and necessary tool for modern email sending. It's designed to delegate sending permissions to other domains. For example, if you use Google Workspace to send your business emails, Google instructs you to add include:_spf.google.com to your SPF record. This tells receiving servers to check Google's SPF record for a list of their authorized sending IPs.
A correct SPF record for a domain sending through Google Workspace would look like this: v=spf1 include:_spf.google.com ~all. Notice that the include points to an external domain, not back to itself.
Conclusion
In summary, while you can physically create an SPF record with a self-referencing include, it is a critical misconfiguration. It creates an infinite loop, triggers a PermError during SPF validation, and will cause your emails to be rejected or sent to spam. Always ensure your include mechanisms point to valid, external third-party domains as intended by the SPF specification.
Can an SPF record contain multiple 'v=spf1' declarations?
What SPF mechanism refers to other SPF records?
What SPF mechanism includes the A records of a domain?
What SPF mechanism includes the MX records of a domain?
Can an SPF record use both 'ip4' and 'ip6' mechanisms?
What SPF mechanism refers to another domain's SPF record?
