SPF include mechanism

What is the SPF include mechanism?

The SPF include mechanism tells a receiving mail server to evaluate another domain's SPF record as part of the current SPF evaluation. If the sending IP matches an allowed IP in the referenced domain's SPF record, the include mechanism matches and SPF can pass.

include is typically written as:

include:_spf.google.com

This is the standard way to authorise sending from a third-party mail service. The third-party provider publishes its own SPF record, and you reference it from your own record rather than copying a list of IP addresses that may change over time.

A common misconception is that include:somedomain.com means "allow all mail from somedomain.com." That is not what include does. It evaluates somedomain.com's SPF record to determine whether the current sending IP is authorised.

How include works in an SPF record

When a receiving mail server evaluates your SPF record and encounters an include mechanism, it performs a DNS lookup for the referenced domain's SPF record and evaluates it against the sending IP.

There are three possible outcomes:

Pass: the sending IP is explicitly authorised by the included domain's SPF record. The include mechanism matches, and SPF evaluation of your record continues with a pass result for this mechanism.

Fail or Neutral: the sending IP is not authorised by the included domain's SPF record. The include mechanism does not match, and SPF evaluation of your record moves on to the next mechanism.

PermError or TempError: the included domain's SPF record has an error or cannot be retrieved. This propagates as an error in your own SPF evaluation.

Importantly, a non-matching include does not immediately fail SPF — evaluation continues through your record's remaining mechanisms until a match is found or the record ends.

When to use include:

Use include: whenever a third-party service sends mail on behalf of your domain and that service provides an SPF record for you to reference. Common examples are:

Google Workspace: include:_spf.google.com
Microsoft 365: include:spf.protection.outlook.com
Mailchimp: include:servers.mcsv.net
SendGrid: include:sendgrid.net

Each service publishes and maintains its own SPF record. By using include:, your SPF record automatically covers any IP address changes the service makes, because receivers look up the referenced domain at evaluation time.

You should not use include: to authorise a domain that you control directly — for that, list the IP addresses explicitly with ip4: or ip6: mechanisms, or use the a: or mx: mechanisms if appropriate. include: is designed for referencing external policies you do not control.

What happens when an included SPF record passes or fails

If the included domain's SPF record results in a Pass for the sending IP, the include mechanism itself matches. SPF evaluation of your record treats this mechanism as a hit and, if no qualifier override applies, returns a Pass result.

If the included domain's SPF record results in Fail, SoftFail, or Neutral for the sending IP, the include mechanism does not match. Evaluation moves to the next mechanism in your SPF record.

If the included domain has no SPF record at all, the include mechanism results in PermError for your record. This is a hard error — receivers treating PermError as a failure will reject or quarantine the message.

If the included domain's SPF record itself has a syntax error or exceeds the DNS lookup limit, that error also propagates as a PermError into your own record.

SPF include vs redirect

include and redirect are often confused but behave differently.

include evaluates the referenced domain's SPF record as an additional check within your SPF record. If the include matches, it contributes a pass result. If it does not match, evaluation continues with the next mechanism in your record. You can have multiple include mechanisms in a single SPF record.

redirect replaces your entire SPF record with another domain's SPF record. It is a modifier, not a mechanism, and there can only be one redirect per SPF record. Any mechanisms listed before a redirect in the same record are still evaluated; redirect only applies if no earlier mechanism matches.

Use include: when you want to add a third-party sender to your existing SPF policy. Use redirect= when you want to delegate your entire SPF policy to another domain — typically used by organisations managing SPF centrally across multiple domains.

How include affects the 10 DNS lookup limit

SPF limits evaluation to 10 DNS lookups. This limit covers lookups caused by mechanisms that require DNS resolution: include, a, mx, ptr, and exists. Each include adds at least one DNS lookup — the lookup for the referenced domain's SPF record — plus any further lookups that the referenced record requires.

Includes can nest. If you include:_spf.example.com and that record contains two further include mechanisms, all three lookups count toward your 10-lookup limit.

A record that exceeds 10 DNS lookups results in SPF PermError. This is one of the most common causes of SPF failures for domains that use multiple third-party senders. Each service added via include can add two or more lookups to the total count.

If you are close to or over the 10-lookup limit, you can reduce lookups by: removing unused or stale include mechanisms, flattening includes by replacing them with the resolved IP addresses (though this requires ongoing maintenance), or using a managed SPF service that handles flattening automatically.

Common SPF include mistakes

Including a domain with no SPF record. If the referenced domain does not publish an SPF record, the include causes PermError in your own record. Always verify that the domain you are including has a valid SPF record before adding it.

Leaving stale includes in the record. When you stop using a third-party service, its include: entry should be removed from your SPF record. Stale includes waste DNS lookup budget and may still authorise sending from a service you no longer control.

Duplicating includes. Including the same domain twice does not cause an error but wastes lookups. Each occurrence is evaluated separately.

Assuming include authorises the domain itself. include:somedomain.com does not authorise mail from any IP that somedomain.com owns in general — it evaluates somedomain.com's SPF policy, which may authorise specific IP ranges or further include mechanisms.

Exceeding the 10-lookup limit. Adding too many include mechanisms — especially those that chain to further includes — can push the total DNS lookup count above the SPF limit, resulting in PermError.

How to fix SPF include problems

Audit your current SPF record. List every mechanism and count the DNS lookups each one contributes. Tools like the MXFend SPF Checker can evaluate your record and surface lookup counts and errors.

Verify that every included domain has a valid SPF record. If any included domain has no SPF record or a broken one, fix or remove that include. A missing SPF record at an included domain causes PermError in your record.

Remove includes for services you no longer use. Check your include list against the services you actually send from. Remove any that are no longer active.

Reduce DNS lookups if you are near the limit. Options include: consolidating IP ranges into ip4: or ip6: mechanisms, removing unnecessary a: or mx: mechanisms, or using a managed SPF flattening service.

Test after every change. SPF records are evaluated live at delivery time. Use an SPF checker to confirm that the record is valid and that the DNS lookup count is within the limit after any modification.

How MXFend can help

SPF Checker — evaluates your SPF record, counts DNS lookups, traces each include chain, and flags PermError conditions, missing included records, and lookup limit violations.

Email Security Score — provides a combined audit of SPF, DKIM, DMARC, blacklist, SMTP TLS, MTA-STS, TLS-RPT, MX, and BIMI in a single weighted report.

DMARC Checker — checks whether your DMARC policy is published and correctly aligned with your SPF and DKIM setup.

DKIM Checker — validates DKIM selectors and public key records for the domain. DKIM alignment alongside SPF is required for DMARC to pass.