The Sender Policy Framework (SPF) uses two primary mechanisms to delegate authorization:
v=spf1 include:example.com ~all
v=spf1 redirect=_spf.example.com ~allInclude: Copies rules from the referenced domain's SPF record
v=spf1 include:_spf.google.com include:servers.mydomain.com -allRedirect: Completely replaces current evaluation with referenced domain's SPF
v=spf1 redirect=example.comWhen a receiving mail server processes SPF records:
- Include: Evaluates referenced record as part of current check
- Redirect: Terminates current check and starts new evaluation
Recursion Limits:
// Mail servers typically allow up to 10 nested includes
// Redirects count as a single lookup regardless of depthDNS Lookup Optimization:
// Preferred for large organizations:
v=spf1 include:spf.protection.outlook.com -all
// Preferred for simple delegation:
v=spf1 redirect=spf.example.orgCommon debugging scenarios:
# Check include chain
dig TXT example.com +short | grep "v=spf1"
# Verify redirect target
dig TXT _spf.example.com +shortTest results from major ESPs show:
- Redirects complete 18-22% faster for deep hierarchies
- Includes provide better granular control (3-5% more precise auth)
Sender Policy Framework (SPF) uses various mechanisms to authorize email senders. Two commonly confused mechanisms are include and redirect, which serve different purposes in SPF record management.
The include mechanism allows you to reference another domain's SPF record while evaluating your own policy. This is particularly useful when:
- Using third-party email services
- Working with multiple departments in large organizations
- Implementing complex email infrastructures
v=spf1 include:_spf.google.com ~allThis example includes Google's SPF record to authorize G Suite emails.
The redirect modifier completely replaces your SPF evaluation with another domain's policy. This is typically used when:
- Managing SPF records for multiple brands under one parent company
- Consolidating SPF policies across an organization
- Simplifying complex SPF configurations
v=spf1 redirect=example.comThis SPF record would essentially adopt the entire SPF policy of example.com.
| Feature | Include | Redirect |
|---|---|---|
| Evaluation Order | Processed in sequence | Replaces entire evaluation |
| Fallback to Local Policy | Yes | No |
| Multiple References | Supported | Only one allowed |
| Common Use Cases | Third-party services | Brand consolidation |
For a company using both Mailchimp and SendGrid while maintaining some internal mail servers:
v=spf1 include:servers.mcsv.net include:sendgrid.net ip4:192.0.2.0/24 ~allFor a subsidiary company that wants to use its parent company's SPF policy:
v=spf1 redirect=parentcompany.com- Avoid
redirectwhen you need to combine multiple SPF sources - Remember that
includecontinues processing after the included policy - Never exceed 10 DNS lookups (includes + a/mx/ptr records)
- Test SPF records using tools like MXToolbox before deployment
When troubleshooting SPF failures, always check whether the issue stems from an include that didn't match or a redirect that unexpectedly overrode your entire policy.