22

I have read through the documentation but the difference is still not very clear to me.

My understanding is: 1) include: will allow the IPs listed for the specified domain, and also any additional domains listed in that domain's own SPF records

2) a: simply allows IPs listed for the specified domain

Is that correct?

loadbalanced
  • 221
  • 1
  • 2
  • 4
  • 1
    It's important to note that `include`d records do not cause back doors - if you have a `-all` default action but an included domain uses `?all`, it will not override your own setting. – Synchro Jun 06 '16 at 12:46

2 Answers2

19

Another try at an answer for anyone else trying to put this together, and based on the syntax doc that OP is probably referring to, the open-spf.org "SPF Record Syntax" page.

Note: Previously this document lived at http://www.open-spf.org/SPF_Record_Syntax/, but that domain seems to have gone offline permanently in 2009. More details on the history and missing domain can be found here.

My answer is that yes, you seem to have it in mind.

  • a: Test the IP for a match in the A records for the domain.

  • include: Fetch the entire SPF record for the domain, evaluate IP against it, and if a PASS is found then that PASS becomes the result of the whole SPF test. If no PASS is found then it's not a fail, but your original/top-level SPF test continues (probably to the -all/~all/?all phase).

Reasons to use "a":

  • Because it's more predictable and straightforward.
  • Because you haven't set up SPF on the relevant domains.
  • Because you don't control those domains and the SPF isn't what you'd want (specifically if it's too lenient in accepting other servers that aren't in it's A records)

Reasons to use "include":

  • Because you already trust the SPF of the domain.
  • Because the SPF of the domain is complex, and you want to have a single source of truth for don't-repeat-yourself reasons.

Happy to be corrected!

jerclarke
  • 1,219
  • 1
  • 13
  • 23
  • 1
    Remember, **a:** tests for a match in the A _or AAAA_ records – gog Apr 26 '19 at 11:38
  • If you host a lot of websites but don't necessarily host their DNS, using an `include:` allows you to make future changes to the SPF records without making direct DNS changes to the domains that include yours. – Aaron Cicali Jan 22 '20 at 20:25
7

1) include:other-domain.com just includes SPF records from other-domain.com. If SPF entries of other-domain.com allows some ip's (for example have an ip4: or a: entry), then those ip will be also be allowed.

2) true

dr.scre
  • 2,287
  • 1
  • 22
  • 22