Is '-all' required in included SPF records if the main record has it?

Key findings

• Policy enforcement: The all mechanism, such as -all or ~all, only applies to the main SPF record of a domain and dictates the outcome if no other mechanisms match. It does not transfer to included SPF records.
• Included records' role: If an include mechanism in your main SPF record passes, the overall SPF check for your domain passes. If the included record fails or runs out of mechanisms, the evaluation returns to your main record to continue processing.
• No redundancy needed: There is no technical requirement for SPF records that are solely intended to be included by other domains to contain their own all mechanism.
• Deliverability impact: The absence of -all in an included record does not negatively impact email deliverability, provided the main domain's SPF record has a proper policy mechanism (e.g., -all or ~all). More on SPF all qualifiers can be found in our detailed guide.

Key considerations

• IT team confusion: IT professionals may mistakenly believe that all SPF records, including those used for includes, must end with an -all mechanism. This often stems from a general misunderstanding of how SPF evaluation paths work.
• Vendor inconsistency: Some ESPs or service providers may include -all in their included SPF records, which is harmless but unnecessary. This can lead to confusion when other vendors correctly omit it.
• Documentation reliance: It is crucial to refer to authoritative sources like the SPF RFC to understand the precise mechanics of SPF record evaluation. The AutoSPF site provides further clarification on the all tag.
• Avoiding DNS lookup limits: Understanding how include mechanisms work is vital for managing DNS lookup limits. Each include can contribute to the 10-lookup limit, regardless of whether the included record has an all mechanism.

Key opinions

• Initial confusion: Marketers frequently question the necessity of an -all mechanism in SPF records included by their main domain's SPF, particularly if their IT team raises concerns about its absence.
• Vendor discrepancies: Observations that some email service providers (ESPs) include -all in their published SPF records (which are then included by client domains), while others do not, add to the uncertainty among marketers regarding best practices.
• Seeking confirmation: There's a strong desire among marketers for clear, authoritative confirmation that the parent SPF record's -all mechanism is sufficient, making its presence in included child records unnecessary.
• Impact on deliverability: Concerns arise about potential deliverability issues if the IT team perceives a misconfiguration due to the absence of -all in included SPF records.

Key considerations

• Communicating technicalities: Marketers need reliable resources to explain complex SPF concepts, like how include mechanisms function without requiring an all mechanism within the included record, to their IT counterparts effectively.
• Trust in ESP instructions: When an ESP provides specific instructions for SPF records, marketers face the challenge of ensuring their internal teams trust these guidelines, even if they deviate from perceived norms or common practices.
• SPF record placement: Understanding where SPF records should be placed and how they interact is fundamental for avoiding authentication failures and ensuring high deliverability.
• Avoiding unnecessary complexity: Adding an all mechanism to an included SPF record is redundant. While it may not cause direct harm, it adds unnecessary bytes to DNS responses and can perpetuate misunderstandings, as detailed in this guide on SPF formatting.

Key opinions

• Policy location: The all mechanism only defines the final policy for the domain publishing the SPF record, not for any domains whose records are merely included within it. More information about SPF ~all vs -all can be found in our guide.
• Evaluation flow: When an SPF record includes another, if the included record passes, the main record passes. If the included record fails to match an authorized sender or reaches its end, evaluation simply returns to the parent SPF record from that point forward, without inheriting the included record's implicit 'all' policy.
• No requirement for included: There is no RFC requirement for SPF records used exclusively for inclusion to contain their own -all mechanism.
• Common misunderstanding: SPF is widely misunderstood, and the belief that all included SPF records must end with -all is a frequent misconception among IT professionals who may not specialize in email deliverability.
• Redundant inclusion: Including -all in an included SPF record is harmless, but it does make the DNS response marginally larger and can add to perceived complexity without providing any functional benefit.

Key considerations

• Educating IT teams: Providing clear, concise explanations and references to RFC documentation is crucial for convincing IT teams about proper SPF configuration, especially when their current understanding is incorrect. Relying on ESP requirements is often the most practical approach.
• Trusting ESPs: If an IT department does not trust the SPF configuration provided by the very ESP hired for email expertise, it indicates a deeper challenge in technical communication and reliance on external vendors.
• Comprehensive authentication: While SPF is critical, a complete email authentication strategy also involves DKIM and DMARC. Our simple guide to DMARC, SPF, and DKIM provides a holistic view of these protocols.
• Avoiding SPF TempError: Misconfigurations and excessive DNS lookups can lead to SPF TempError issues. Understanding the SPF evaluation process helps prevent these problems and improve deliverability, particularly for platforms like Microsoft where hidden SPF DNS timeouts can occur.

Key findings

• RFC 7208 guidance: The RFC specifies that while an include mechanism allows for the authorization of external hosts, the ultimate determination of sender policy remains a function of the original domain's SPF record. This policy is explicitly set by the all mechanism within that primary record.
• Mechanism processing: When an include mechanism is processed, the SPF evaluator temporarily transitions to the included domain's SPF record. If a match is found there, the primary domain's SPF check is considered passed. If no match is found, control returns to the primary SPF record to continue evaluation from the next mechanism.
• Policy non-transferability: Crucially, the all mechanism in an included record is not used to determine the policy for the primary domain. Its presence is effectively ignored because the evaluation flow of the primary SPF record determines the final outcome based on its own all mechanism.

Key considerations

• Strict adherence to RFC: For correct SPF implementation and to avoid deliverability issues, it is essential to follow the specifications laid out in RFC 7208 precisely. Deviations based on assumptions can lead to SPF failures, such as unauthorized mail being prohibited.
• Simplifying configurations: Understanding that -all is not needed in included records can help simplify SPF configurations and prevent unnecessary DNS entries, which is a best practice for formatting SPF TXT records.
• RFC 7208, Section 5.2: For precise details on the include mechanism and its interaction with the all mechanism, refer directly to RFC 7208, Section 5.2, which is the authoritative source for SPF protocol definition.