When you're setting up email authentication, you'll quickly come across Sender Policy Framework, or SPF. An SPF record is a type of DNS record that declares which mail servers are allowed to send email on behalf of your domain. It’s a foundational part of protecting your domain from being used in phishing and spam campaigns.
An SPF record is made up of different parts, called “mechanisms,” that define these authorized senders. One of the most common questions I get is about the specific mechanism used to reference another domain's SPF policy. The short answer is the include mechanism.
The 'include' mechanism
The include mechanism is fundamental to how modern SPF records work, especially when you use third-party services to send emails (like a marketing platform or a transactional email provider). Instead of adding that provider's specific IP addresses to your record, you simply "include" their SPF record.
When a receiving mail server evaluates your SPF record and encounters an include statement, it performs a new DNS lookup on the included domain. The server then checks the SPF policy of that other domain to see if the sending IP is authorized. If a match is found in the included domain's policy, the SPF check passes.
- Delegation: It allows a domain owner to delegate part of their email sending authority to another domain.
- Maintenance: It simplifies SPF management. If your email provider changes their sending IPs, they update their own SPF record, and you don't have to change anything in yours.
- Syntax: A typical example looks like v=spf1 include:_spf.google.com ~all, which authorizes Google Workspace to send email for the domain.
What about the 'redirect' modifier?
Another mechanism that points to a different domain's SPF record is redirect. However, it functions very differently from include. A redirect is a modifier that tells the receiving server to completely abandon the current SPF check and instead use the SPF policy found at the specified domain.
Think of it as a complete handover. If your SPF record is v=spf1 redirect=suped.com, it means your domain's SPF policy is whatever suped.com's record is. Any other mechanisms in your original record before the redirect are ignored.
Key differences: include vs. redirect
The main distinction is that include is an addition, while redirect is a replacement. You can have multiple include mechanisms in a single SPF record to authorize several services. In contrast, a redirect modifier must be the final term in the record, as it terminates the processing of the current record.
A word of caution: the 10-lookup limit
A critical aspect of using include or redirect is the SPF 10 DNS lookup limit. The SPF specification mandates that no more than 10 DNS lookups are allowed during an SPF evaluation. Every include, redirect, a, and mx mechanism contributes to this count. If your record exceeds this limit, it will result in a permanent error (PermError), and SPF authentication will fail, potentially harming your email deliverability.
What SPF mechanism allows for IP addresses?
What SPF mechanism refers to other SPF records?
What is the purpose of the 'ptr' SPF mechanism?
What SPF mechanism includes the A records of a domain?
What SPF mechanism includes the MX records of a domain?
Does the 'exists' mechanism in SPF check for a record's existence?
