SPF include explained

The SPF Include mechanism holds references or conditions–inside an SPF record–that must be met for each given server to improve email deliverability. If you accidentally miss out on adding the Include statements for your third party vendors in your SPF record, this could lead to issues for your recipients such as bounced emails and your overall bounce rate may spike up.

Learn what the “Include” mechanism in the SPF Records is and how you can optimize SPF Include statements for your needs.

What is SPF Include?

In your SPF record syntax, the “include” mechanism indicates records to convey your email server to check for the records that match against the domain specified in the “include” line.

The “include” points to a domain whose SPF records will be queried when checking whether the sending IP is allowed or not. If the sending IP address is included in an “include” list defined by SPF, then it will result in a match and SPF passes.

SPF Include is important because:

➜ It specifies that you want to be protected by SPF records for any domain listed in your “include” block.

➜ It adds rules that are specific to a domain.

➜ You can use the SPF Include mechanism to further incorporate general filtering rules that apply to all domains within the same class. This means that, if your application supports multiple classes of email addresses, you can use include statements to allow for more complex filtering based on the class of the recipient address.

For example:

If you have “include:_spf.google.com” in your SPF record, and emails are sent from a Google IP address, it will be considered an authorized email sender because the originating IP is found within the “include” mechanism of that domain’s SPF record. As a result of this, the email will successfully pass through the server before reaching its intended recipient.

More than one SPF Record is Not Allowed: But Why?

Multiple SPF records are not allowed.

SPF records are TXT-type records starting with the string v=spf1. They tell email servers which rules they should follow when determining whether or not a given email is spam. The rules include:

  • A receiving mail server must verify that the sending domain is an authorized recipient of that message. When this rule is met, it will accept the message and deliver it to the user.
  •  A receiving mail server must verify that the sending domain’s IP address matches an authorized IP address for that domain and that the IP address belongs to an authorized sender. When these conditions are met, the message will be delivered to the user.

Therefore, if you have two separate SPF TXT record entries on your server, your emails will fail SPF authentication and return a PermError. It’s because a receiving mail server won’t know which rule to follow—it will simply ignore both of these TXT records.

SPF Include Multiple Domains or Hosts or IP Addresses: How-To Instructions

When you’re looking to include more than 1 SPF record, you may run into issues with email delivery (such as email getting rejected as spam). The fix is to delete the offending SPF records and merge the domains or host entries into a single record or line through SPF include.

Consider the example of the SPF record with numerous hosts and ip4 addresses used by one of the world’s famous tech manufacturers of consumer electronics, Lenovo.com.

When performing SPF Record Lookup for Lenovo.com, we found that it has merged 4 domains:

  1. spf.messagelabs.com
  2. _netblocks.eloqua.com
  3. spf.protection.outlook.com
  4. spf.pfpool.lenovo.com

and 5 IP4 addresses:

  1. 72.32.45.225
  2. 40.65.201.146
  3. 138.108.60.125
  4. 138.108.24.107
  5. 52.247.21.11

into a single record like this:

v=spf1 include:spf.messagelabs.com include:_netblocks.eloqua.com include:spf.protection.outlook.com include:spf.pfpool.lenovo.com ip4:72.32.45.225 ip4:40.65.201.146 ip4:138.108.60.125 ip4:138.108.24.107 ip4:52.247.21.11 ~all

Understanding The SPF Record Semantics

Considering the example above, we have learned that the following rule applies when merging numerous hosts or IP4 addresses into a single SPF record.

An SPF record should have 3 sections to be considered valid: the declaration (start), the include mechanism for domains and the IP4 tag for IP addresses (center), and an enforcement rule (end).

Declaration: The record should start with v=spf1 (don’t use this string again in the rule)

Allowed domains: Add an include: for each domain (you have to use the SPF Include mechanism as include: with every domain, you add in the SPF record)

Allowed IPs: Add an IP4 tag for each IP address (you have to use the IP4 tag before every IP address you add to the SPF record)

Enforcement rule: End the record with one ~all statement (use this string at the end and only once)

An Important Note Regarding SPF Include

It’s important to incorporate the “include” mechanism in your SPF record because it allows you to include other domains and hosts in your SPF record, which can be useful for verifying the authenticity of your messages.

However, the following rule applies to using the number of lookups per SPF record (as mentioned in section 10.1 of RFC 4408):

“SPF implementations MUST limit the number of mechanisms and modifiers to at most 10 per SPF check, including any lookups caused by the use of the “include” mechanism or the “redirect” modifier.”

If your SPF implementation does not limit the number of mechanisms and modifiers, it will sleep on checks for unreachable hosts. Because these hosts will never be included in your checks, they will never receive mail from clients. This can cause serious issues with mail delivery.

Difference Between SPF include: and a:

a: Test the IP address to see if it matches an A record for your domain.

include: Check the entire SPF record for a domain, evaluate IP against it, and if PASS is found then that will be returned as a result of the whole test.

Reasons to use a:

  • It is more practical and less complicated
  • Because you haven’t enabled SPF on the relevant domains
  • Because the SPF isn’t configured correctly or it mistakenly permits other servers that aren’t in its A records

Reasons to use include:

  • You trust that a site’s domain name has a valid SPF record
  • Because you want to have a single source of truth for don’t-repeat-yourself reasons, and the SPF domain is complex
  • You may want to make changes to your SPF records without necessarily editing the DNS for all of the domains that include yours

Automated Optimization of SPF Include: for Multiple Domains and IP Addresses

Multi-host, multi-IP address SPF record is not a new thing. But how you need to build this kind of record requires proper expertise to avoid SPF authentication failure or PermError.

Latest posts by Ahona Rudra (see all)