SPF Basics

SPF Include Mechanism

The SPF include mechanism authorizes another domain's SPF policy as part of your own, enabling third-party senders without listing every IP.

Beginner · 5 min read · Reviewed Jul 4, 2026

Quick answer

The SPF include mechanism lets your record reference another domain SPF policy, commonly used to authorize email providers. Receivers fetch the included domain TXT record and evaluate its mechanisms while counting DNS lookups. Multiple includes can coexist, but each adds lookup cost and dependency on the included domain remaining valid and up to date.

Beginner explanation

The include mechanism is the glue between your domain and the SaaS email economy. Instead of copying hundreds of provider IP addresses by hand, you publish include:spf.vendor.com and inherit their maintained policy.

Includes are the reason a five-line SPF record can authorize mail from global cloud platforms. They are also the reason lookup limits and PermError appear when too many vendors stack up.

Learning include behavior is essential for anyone editing SPF, because it is the most commonly used mechanism after ip4.

Technical explanation

Syntax is include:domain where domain is a hostname, not an IP. During evaluation, if no prior mechanism matched, the receiver looks up the TXT records at domain and logically inserts the mechanisms found there, excluding the included v=spf1 version tag and any all mechanism from the included record in some implementations.

Includes can nest. Provider macros are designed for this pattern. The include mechanism does not pass by itself; it delegates evaluation. If the nested policy yields a match, the result is pass. If nested evaluation ends without match, evaluation continues to the next mechanism in the parent record.

Combine includes with a terminal all mechanism such as ~all or -all to express default policy for unmatched IPs. The qualifier on all should reflect your enforcement posture coordinated with DMARC.

Business impact

Correct includes unlock rapid onboarding of marketing and CRM platforms without waiting for IP range spreadsheets. Incorrect includes block entire product categories of mail with uniform SPF fail results.

Because includes delegate trust, a compromised or misconfigured vendor SPF policy becomes your deliverability problem even when your own DNS text never changed.

Common mistakes

- Typing include without a colon or using an IP address after include
- Adding duplicate includes for the same vendor after documentation changes
- Placing all before includes, which can short-circuit evaluation unexpectedly depending on match state

How SPF Manager helps

SPF Manager documents each include's resolved content and flags unknown or deprecated provider macros. When you add a new include, lookup impact is previewed instantly.

Search and education features explain what each include authorizes in plain language for stakeholders who do not read RFCs.

Recommended next step

See how this applies to your domain before you change DNS.

Analyze my domain

Related articles

SPF Basics

What is an SPF Record?

An SPF record is a DNS TXT entry that lists which mail servers are allowed to send email on behalf of your domain.

Beginner 6 min read

DNS

Nested SPF Includes

Nested includes occur when an SPF include points to another policy that contains additional includes, multiplying DNS lookup cost.

Intermediate 7 min read

Providers

SPF Email Providers

Email providers publish SPF include hostnames or IP ranges that you must add to your domain policy to authorize their outbound mail.

Beginner 6 min read

Microsoft 365

Microsoft 365 SPF Setup

Microsoft 365 requires include:spf.protection.outlook.com in your SPF record to authorize Exchange Online outbound mail.

Beginner 6 min read