Understanding the 'Include' Mechanism in SPF: A Comprehensive 2026 Guide

February 27, 2026
5 min read
SPF Record Checker
Understanding the 'Include' Mechanism in SPF: A Comprehensive 2026 Guide

How does the SPF 'Include' mechanism actually work?

The 'include' mechanism is a DNS directive that tells a receiving mail server to point its search to another domain's SPF record. It essentially delegates authorization, allowing one domain to inherit the "vouching" power of another, which is critical for using services like Google Workspace or Microsoft 365.

In the architecture of Sender Policy Framework (SPF), the include mechanism acts as a recursive pointer. When a mail server encounters an include, it pauses the current evaluation and triggers a new DNS query for the specified domain. If the included domain’s SPF record yields a "Pass," the original evaluation also results in a pass (unless further mechanisms dictate otherwise). This process is fundamental for nested records and auth domains.

💡 Pro Tip: The 10-Lookup Limit

As of 2026, RFC 7208 compliance remains strict: your SPF record cannot exceed 10 recursive DNS lookups. Every include, a, and mx mechanism counts toward this. If you use multiple SaaS tools (Salesforce, Zendesk, Mailchimp), you are likely hovering near this limit. Always use an SPF record analyzer to flatten your records if you exceed this threshold.

What is the difference between include and a?

While both mechanisms authorize IP addresses, 'A' points directly to a specific host's IP address, whereas 'Include' points to an entire domain's SPF policy. Understanding this distinction is the key to preventing "PermError" results during high-volume mail delivery.

Granular Control vs. Delegated Authority

The a mechanism is explicit. It asks the DNS: "What is the IP for this specific host?" In contrast, include asks: "Who does this other domain trust?" Using include is best practice for third-party senders because if the provider (like SendGrid) changes their IP range, they update their own SPF record, and your record automatically stays current without manual intervention.

Feature A Mechanism Include Mechanism
Lookup Cost 1 DNS Query 1 + Nested Queries
Maintenance High (Manual) Low (Automatic)
Use Case Own Web Server SaaS/Email Vendors

💡 Expert Perspective: Recursive Bloat

Recent industry data from the IETF suggests that nearly 15% of enterprise SPF records are currently broken due to recursive lookup bloat. When you include a domain that includes another domain, you are consuming your lookup budget exponentially. This is a common hurdle for students and IT admins alike.

How should you manage third-party includes safely?

Managing third-party includes requires a strategy of "minimalism and monitoring." By auditing which vendors are authorized to send on your behalf, you protect your domain's reputation and ensure high deliverability rates.

To maintain a "Premium-Grade" SPF posture in 2026, you must treat every include as a potential security vulnerability. If a third-party vendor’s DNS is compromised, an attacker could technically send "authorized" mail from your domain.

  • Audit Monthly: Remove includes for vendors you no longer use.
  • Check for "SoftFail": Use ~all during transitions to avoid hard bounces.
  • Subdomain Segmentation: Use different subdomains for marketing (e.g., em.domain.com) to keep your root SPF record clean.

💡 Pro Tip: Solving SPF DNS Lookup Limits

If you hit the limit, do not simply add another record. SPF does not support multiple TXT records for a single domain. Instead, look into solving SPF DNS lookup limits through "SPF Flattening"—a process that replaces hostnames with their IP equivalents.

Saving Hours: My Encounter with a Recursive Loop

Last month, I was consulting for a fintech startup that was seeing their critical transactional emails land in spam folders. They had a complex SPF record with five different includes. On the surface, it looked fine. However, after manually tracing the DNS tree for two hours, I was still stuck.

I decided to run their domain through the ToolCheckers SPF Checker. Within three seconds, the tool flagged a "PermError." It turned out that one of their third-party vendors had a nested include that pointed back to a dead domain, creating a recursive lookup failure that I had completely missed.

What would have taken another half-day of manual dig commands and spreadsheets was solved instantly. I was able to show the client the exact line of code causing the "Too many DNS lookups" error, delete the obsolete vendor, and restore their deliverability by lunch. This is why I always emphasize using professional-grade diagnostic tools over manual inspection.

Advanced Technical Q&A

Q: Does the 'include' mechanism check the 'all' mechanism of the included record?

No. When an SPF record is evaluated via include, the -all or ~all at the end of the included record is ignored. Only a "Pass" result from the included record is communicated back to the main record.

Q: How can I identify nested records that are hidden within my includes?

You must use a tool that performs recursive expansion. A standard DNS lookup only shows the top level. Premium analyzers visualize the entire tree, showing you exactly which vendor is bringing in sub-includes.

Q: What happens if an included domain has a syntax error?

If the included domain’s record is malformed, the entire SPF evaluation for your domain may result in a "PermError" (Permanent Error), causing many mail servers to reject your email entirely.

Q: Is there a limit to the depth of recursive lookups?

Yes, the RFC 7208 standard limits the total number of DNS lookups to 10. This includes the initial lookup and all subsequent lookups triggered by include, a, mx, ptr, and exists.

Q: Can I use an IP address in an 'include' statement?

No. The include mechanism is specifically designed for domain names. If you have a list of IP addresses, you should use the ip4 or ip6 mechanisms, which do not count toward the DNS lookup limit.

Q: What is the risk of using 'include' for an inactive domain?

This is a major security flaw. If the domain expires, an attacker can register it, create their own SPF record, and instantly become an authorized sender for your domain.

Q: Does 'include' work with macros in 2026?

Yes, SPF macros (like %{i}) can be used within includes for advanced dynamic filtering, though support varies among receiving mail transfer agents (MTAs).

Q: Should I include my own domain within its own SPF record?

Absolutely not. This creates a circular reference/infinite loop, which will immediately trigger a "PermError" and fail SPF validation.

For more technical insights on DNS health, visit the ICANN or DMARCLY resource centers.

Ramal Jayaratne

Ramal Jayaratne

Lead Developer & System Architect

Lead Developer at ToolCheckers, specializing in Python, Django, and System Architecture. With over a decade of experience, Ramal is dedicated to building transparent, high-performance developer tools.

View Full Profile

Enjoyed this post?

Explore more tools and resources to help you build better products.

Explore All Tools