The SPF Include mechanism holds references or conditions–inside an SPF record–that must be met for each given server to improve email deliverability. If you accidentally miss out on adding the Include statements for your third-party vendors in your SPF record, this could lead to issues for your recipients such as bounced emails and your overall bounce rate may spike up.
Learn what the “Include” mechanism in the SPF Records is and how you can optimize SPF Include statements for your needs.
What does SPF Include mean?
In your SPF record syntax, the “include” mechanism indicates records to convey to your email server to check for the records that match against the domain specified in the “include” line.
SPF “include” points to a domain whose SPF records will be queried when checking whether the sending IP is allowed or not. If the sending IP address is included in an “include” list defined by SPF, then it will result in a match and SPF passes.
Importance of SPF Multiple Include Mechanism
SPF include is important because:
➜ It specifies that you want to be protected by SPF records for any domain listed in your “include” block.
➜ It adds rules that are specific to a domain.
➜ You can use the SPF Include mechanism to further incorporate general filtering rules that apply to all domains within the same class. This means that, if your application supports multiple classes of email addresses, you can use include statements to allow for more complex filtering based on the class of the recipient address.
How does SPF include work?
The SPF include mechanism allows a domain owner to delegate the responsibility of sending emails to another domain. It is commonly used when a domain owner wants to authorize a third-party service or provider to send emails on their behalf.
Here’s how the SPF include mechanism works:
- The domain owner publishes an SPF record
- Include mechanism in the SPF record specifies another domain or IP address that is authorized to send emails on their behalf.
- During the lookup process, the SPF record is retrieved from the sender’s domain’s DNS.
- The receiving email server evaluates the SPF record to determine if the sending server is authorized to send emails for that domain. If the SPF record includes an “include” mechanism, the receiving server proceeds to check the included domain’s SPF record as well.
- The receiving server performs a recursive lookup by querying the DNS for the included domain’s SPF record. This process continues if there are multiple layers of include mechanisms.
SPF Include Example
For example: If you have “include:_spf.google.com” in your SPF record, and emails are sent from a Google IP address, it will be considered an authorized email sender because the originating IP is found within the “include” mechanism of that domain’s SPF record. As a result of this, the email will successfully pass through the server before reaching its intended recipient.
To authorize google as a verified sending source, this should be your SPF record syntax:
v=spf1 include:_spf.google.com ~all
How to Include Multiple Domains or Hosts or IP Addresses in your SPF record?
When you’re looking to include more than 1 SPF record, you may run into issues with email delivery (such as emails getting rejected as spam). The fix is to delete the offending SPF records and merge the domains or host entries into a single record or line through SPF include.
Consider the example of the SPF record with numerous hosts and ip4 addresses used by one of the world’s famous tech manufacturers of consumer electronics, Lenovo.com.
When performing SPF Record Lookup for Lenovo.com, we found that it has merged 4 domains:
- spf.messagelabs.com
- _netblocks.eloqua.com
- spf.protection.outlook.com
- spf.pfpool.lenovo.com
and 5 IP4 addresses:
- 72.32.45.225
- 40.65.201.146
- 138.108.60.125
- 138.108.24.107
- 52.247.21.11
into a single record like this:
v=spf1 include:spf.messagelabs.com include:_netblocks.eloqua.com include:spf.protection.outlook.com include:spf.pfpool.lenovo.com ip4:72.32.45.225 ip4:40.65.201.146 ip4:138.108.60.125 ip4:138.108.24.107 ip4:52.247.21.11 ~all
Understanding The SPF Record Semantics
Considering the example above, we have learned that the following rule applies when merging numerous hosts or IP4 addresses into a single SPF record.
An SPF record should have 3 sections to be considered valid: the declaration (start), the include mechanism for domains and the IP4 tag for IP addresses (center), and an enforcement rule (end).
➜ Declaration: The record should start with v=spf1 (don’t use this string again in the rule)
➜ Allowed domains: Add an include: for each domain (you have to use the SPF Include mechanism as include: with every domain, you add in the SPF record)
➜ Allowed IPs: Add an IP4 tag for each IP address (you have to use the IP4 tag before every IP address you add to the SPF record)
➜ Enforcement rule: End the record with one ~all statement (use this string at the end and only once)
Can I Have Multiple SPF Records?
The answer is no because Multiple SPF records confuse the recipient server regarding which TXT record to consider during a lookup, and too many spf includes adding multiple DNS lookups that will rapidly exceed the lookup limit of 10.
SPF records are TXT-type records starting with the string v=spf1. They tell email servers which rules they should follow when determining whether or not a given email is spam. The rules include:
Therefore, if you have two separate SPF TXT record entries on your server, your emails will fail SPF authentication and return a PermError. It’s because a receiving mail server won’t know which rule to follow—it will simply ignore both of these TXT records.
An Important Note Regarding SPF Include
It’s important to incorporate the “include” mechanism in your SPF record because it allows you to include other domains and hosts in your SPF record, which can be useful for verifying the authenticity of your messages.
However, the following rule applies to using the number of lookups per SPF record (as mentioned in section 10.1 of RFC 4408):
“SPF implementations MUST limit the number of mechanisms and modifiers to at most 10 per SPF check, including any lookups caused by the use of the “include” mechanism or the “redirect” modifier.”
If your SPF implementation does not limit the number of mechanisms and modifiers, it will sleep on checks for unreachable hosts. Because these hosts will never be included in your checks, they will never receive mail from clients. This can cause serious issues with mail delivery.
Difference Between SPF include: and a:
The SPF “include” mechanism is used to include SPF records from another domain within the current domain’s SPF record, while the SPF “a” mechanism is used to specify individual IP addresses or hostnames (A records) that are authorized to send emails for the domain.
SPF include vs a
Reasons to use a:
- It is more practical and less complicated
- Because you haven’t enabled SPF on the relevant domains
- Because the SPF isn’t configured correctly or it mistakenly permits other servers that aren’t in its A records
Reasons to use include:
- You trust that a site’s domain name has a valid SPF record
- Because you want to have a single source of truth for don’t-repeat-yourself reasons, and the SPF domain is complex
- You may want to make changes to your SPF records without necessarily editing the DNS for all of the domains that include yours
Automated Optimization of SPF Include: for Multiple Domains and IP Addresses
Multi-host, multi-IP address SPF record is not a new thing. Building this kind of record requires proper expertise to avoid SPF authentication failure or PermError.
To build an SPF record that works, you need to use the include: mechanism correctly. And for your SPF policy to be effective, it has to be implemented properly on multiple hosts and IP addresses.
When using PowerDMARC’s SPF Flattening tool, we’ll generate a valid SPF record for you with all of your hosts and IP addresses included in one single line of text. You can add as many domains and IPs as you want—just separate them by space. We’ll merge that into a single SPF include so that you never exceed the lookup limit, or face email delivery and hardfail issues.
- Introducing DKIM2: The Future of Email Security - November 20, 2024
- BreakSPF Attacks: Outsmart the Hackers and Protect Your Email - November 13, 2024
- PowerDMARC Integrates with ConnectWise - October 31, 2024