Include (SPF)

What is Include (SPF)?

The include mechanism in SPF (Sender Policy Framework) allows a domain to reference another domain’s SPF record when defining authorized mail servers. It is commonly used when third-party vendors send email on behalf of your organization, such as marketing platforms, CRM tools, or cloud mail services. The include directive simplifies SPF management by letting you inherit another domain’s authorization rules instead of manually copying each IP address.

For example, if your company uses an external service like SendGrid or Microsoft 365 to send legitimate mail, you can include their SPF record in your own. This tells receiving servers that the vendor’s infrastructure is permitted to send on your behalf.

How the Include Mechanism Works

When an SPF evaluation encounters an include statement, it performs a recursive DNS lookup to retrieve and process the referenced domain’s SPF record. If any of the IPs listed in that record match the sending server, the SPF check passes. If not, evaluation continues with the next mechanism in the original policy.

Example of an SPF record with includes:

In this example, the domain authorizes mail sent through Google Workspace and Microsoft 365 by importing their SPF configurations. Any mail sent from IPs listed in those included records will pass SPF validation for the domain.

Multiple includes are allowed, but each counts toward SPF’s DNS lookup limit of 10. Excessive includes can lead to SPF permerrors if too many DNS queries are triggered during evaluation.

Best Practices for Using Include in SPF

Although the include mechanism is convenient, it must be used carefully to maintain a valid and efficient SPF configuration.

Recommended best practices include:

• Use includes only for trusted third-party providers that publish maintained SPF records
• Limit the number of includes to stay below the 10-lookup limit
• Avoid chaining includes from multiple vendors (include-in-include scenarios)
• Periodically verify that included SPF records have not changed unexpectedly
• Flatten your SPF record (convert includes to IP addresses) if necessary for performance
• Use mechanisms like -all or ~all to clearly define the default policy for unlisted senders

By keeping the structure simple and avoiding unnecessary nesting, you ensure faster resolution and fewer false SPF failures.

Include Mechanism and DMARCeye

DMARCeye analyzes SPF records across your domains and detects potential risks caused by excessive or outdated include statements. The platform expands and maps each reference to show which IPs and services are authorized under your SPF policy.

This visibility helps you identify dependencies on external providers, find broken or deprecated includes, and stay within SPF’s lookup limits. With DMARCeye’s detailed DNS analysis and reporting, you can confidently manage third-party senders while maintaining a clean, compliant SPF configuration.

Sign up for a free trial of DMARCeye today and secure your email domain.

To learn more about DMARC and DMARC-related terms, explore the DMARCeye Glossary.