Suped

What SPF mechanism refers to another domain's SPF record?

When you're setting up email authentication, you'll quickly come across Sender Policy Framework, or SPF. An SPF record is a type of DNS record that declares which mail servers are allowed to send email on behalf of your domain. It’s a foundational part of protecting your domain from being used in phishing and spam campaigns.

An SPF record is made up of different parts, called “mechanisms,” that define these authorized senders. One of the most common questions I get is about the specific mechanism used to reference another domain's SPF policy. The short answer is the include mechanism.

Suped DMARC monitor
Free forever, no credit card required
Get started for free
Trusted by teams securing millions of inboxes
Company logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logo

The 'include' mechanism

The include mechanism is fundamental to how modern SPF records work, especially when you use third-party services to send emails (like a marketing platform or a transactional email provider). Instead of adding that provider's specific IP addresses to your record, you simply "include" their SPF record.

spotler.com logo
Spotler says:
Visit website
‍include: this mechanism refers to another domain (with an SPF record), but is not 'part of' the original SPF record. Though the name 'include' ...

When a receiving mail server evaluates your SPF record and encounters an include statement, it performs a new DNS lookup on the included domain. The server then checks the SPF policy of that other domain to see if the sending IP is authorized. If a match is found in the included domain's policy, the SPF check passes.

  • Delegation: It allows a domain owner to delegate part of their email sending authority to another domain.
  • Maintenance: It simplifies SPF management. If your email provider changes their sending IPs, they update their own SPF record, and you don't have to change anything in yours.
  • Syntax: A typical example looks like v=spf1 include:_spf.google.com ~all, which authorizes Google Workspace to send email for the domain.

What about the 'redirect' modifier?

Another mechanism that points to a different domain's SPF record is redirect. However, it functions very differently from include. A redirect is a modifier that tells the receiving server to completely abandon the current SPF check and instead use the SPF policy found at the specified domain.

www.spf-record.com logo
SPF-Record says:
Visit website
redirect, IP address of the sender is legitimized by the SPF record of another domain ; include, An additional ...

Think of it as a complete handover. If your SPF record is v=spf1 redirect=suped.com, it means your domain's SPF policy is whatever suped.com's record is. Any other mechanisms in your original record before the redirect are ignored.

Key differences: include vs. redirect

The main distinction is that include is an addition, while redirect is a replacement. You can have multiple include mechanisms in a single SPF record to authorize several services. In contrast, a redirect modifier must be the final term in the record, as it terminates the processing of the current record.

A word of caution: the 10-lookup limit

A critical aspect of using include or redirect is the SPF 10 DNS lookup limit. The SPF specification mandates that no more than 10 DNS lookups are allowed during an SPF evaluation. Every include, redirect, a, and mx mechanism contributes to this count. If your record exceeds this limit, it will result in a permanent error (PermError), and SPF authentication will fail, potentially harming your email deliverability.

Start improving your email deliverability today

Get started