When you're setting up your email authentication, you'll quickly come across Sender Policy Framework (SPF). At its core, SPF is a way for you to publicly list which servers are allowed to send email using your domain name. As Kinsta puts it, an SPF record is a DNS TXT record that contains a list of authorized mail servers. This is crucial for protecting your domain from being used for phishing and spam.
Your SPF record uses specific instructions called "mechanisms" to build this list of authorized senders. When you use third-party services to send emails, such as a marketing platform or a transactional email provider, you need a way to authorize them in your SPF record. The most common and effective way to do this is by using the include mechanism.
How the include mechanism works
The include mechanism is essentially a pointer. Instead of listing all the IP addresses of your third-party sender directly in your own SPF record, you simply "include" their SPF record. When a recipient's mail server receives an email from your domain, it checks your SPF record. If it finds an include:thirdparty.com statement, it then performs another DNS lookup on thirdparty.com to check its SPF record. If the sending IP address is authorized in the third party's record, the email passes the SPF check.
This method has several key advantages:
- Simplicity and Maintenance: Your third-party provider manages its own list of sending IPs. If they add or remove servers, they update their own SPF record, and you don't have to do anything. This prevents your record from becoming outdated and causing delivery failures.
- Avoiding the DNS Lookup Limit: SPF has a strict limit of 10 DNS lookups per check. If you tried to list every IP from a large provider using the ip4 mechanism, your record would become long and unmanageable. An include statement only counts as one lookup, making it far more efficient for managing external services.
What does an SPF record with include look like?
A typical SPF record authorizing Google Workspace and another third-party service might look like this:
v=spf1 include:_spf.google.com include:sendgrid.net ~all
In this example, we are telling receiving mail servers to check the SPF records for both _spf.google.com and sendgrid.net to validate senders. The ~all at the end advises servers to mark as suspicious (SoftFail) any email from sources not listed.
Why not use other mechanisms?
While SPF has other mechanisms like a, mx, and ip4, they are not well-suited for authorizing third parties. The a and mx mechanisms refer to your own domain's records, and ip4 requires you to list static IP addresses, which is impractical for dynamic cloud services. As Sendmarc notes, while ip4 is commonly used, the include mechanism is what's used when third-party providers are authorized. In summary, for any third-party email sender, the include mechanism is the correct and standard choice.
What SPF mechanism allows for IP addresses?
What SPF mechanism includes the MX records of a domain?
What SPF mechanism includes the IP addresses of the sending domain?
What SPF mechanism should be used to explicitly deny all other senders?
What SPF mechanism references the mail exchanger records?
What SPF mechanism indicates that a domain should send no mail?
