SPF include vs redirect

Question

What is the difference?

there's a very thorough write up here that explains many of the nuances and potential pitfalls. — Eaten by a Grue, May 12 '20 at 14:39

score 31 · Accepted Answer · answered Jan 05 '11 at 16:35

31

Pretty much what it says on the tin.

In the first case, domain 2's SPF record is included in the SPF record for domain1, but can still be modified eg by adding another A host that isn't permitted for domain2.com:

"v=spf1 include:domain2.com a:othermailhost.domain1.com -all"

In the second case, domain2's SPF record is used as the complete SPF record for domain1, and no further modifications are possible.

"v=spf1 redirect=domain2.com"

answered Jan 05 '11 at 16:35

MadHatter

80,590

5

include: is also handy if the SPF record is too big for for one record. You can create a TXT record on spf1.domain1.com and spf2.domain1.com with the spf split into two and include both in the TXT record for doman1.com. Of course if this is required, the outgoing mail setup is probably a bit nuts! – Niall Donegan Jan 05 '11 at 17:18
Good point! I would edit it into my answer, but that seems faintly naff. – MadHatter Jan 05 '11 at 17:43
1

@NiallDonegan Welcome to the world of ugly hacks. :/ If you had that much IPs to check, you should possibly put them all in the A records of a _mailhosts domain, which you can then reference from the SPF record. – Bachsau Aug 17 '20 at 16:32

score 0 · Answer 2 · answered Feb 28 '24 at 17:47

include:<domain> means: Copy the SPF record of <domain> to the position, where the include is found.

So if your SPF record is a b c include:x d e f and the SPF record of x is 1 2 3, then the resulting SPF record is a b c 1 2 3 d e f.

redirect=<domain> means: After processing all entries of the existing SPF record and there was no match, continue by evaluating the SPF record of <domain>.

So if your SPF record is a b c redirect=x d e f and the SPF record of x is 1 2 3, then first a b c d e f are checked and if none of those matched, the processing continues at x and now 1 2 3 are checked.

Note that this means that if you have an all term in your SPF record, the redirect is ignored as the all entry will always match! That's literally what the RFC is saying:

Any "redirect" modifier (Section 6.1) MUST be ignored when there is an "all" mechanism in the record, regardless of the relative ordering of the terms.

- RFC 7208, Section 5.1

Also note that you cannot have multiple redirect entries, as once the first redirect is performed, processing will never return back to your record, it may only follow another redirect found within the record of the domain you redirected to. But you can, of course, have multiple include in your record.

score -2 · Answer 3 · answered Dec 28 '18 at 16:47

Here a short summary with the example, include will be used when your mail hosted on other servers eg: Gsuite Zoho or other email providers the format is "v=spf1 include:serverdomain.com include:_spf.google.com ~all"

and redirect is used to redirect your mail from the main server to another domain server. eg: "v=spf1 redirect=_spf.mailhostbox.com"

You can also use the best method to cover all type of configuration:
"v=spf1 +a +mx +ip4:192.168.1.2 ~all" Where +a indicate A RECORD of your domain, +mx cover MX record and IP cover IP address of your server. (note replace your server IP)

All of your examples don’t help explain the exact technical difference, and your advice at the end is unsolicited and therefore distracting. If the accepted answer is lacking a bit of information, feel free to add a comment as soon as your site reputation allows. — Amir, Jan 01 '19 at 12:22

SPF include vs redirect

3 Answers3