For example:<\/p>\n\n\n\n
v=spf1 include:spf.protection.outlook.com include:_spf.google.com ~all<\/p>\n\n\n\n
In this case, the domain owner authorizes Microsoft 365 and Google Workspace to send email on behalf of the domain by referencing their SPF records directly.<\/p>\n\n\n\n
If the sending IP address matches the SPF policy published by the included domain, the include evaluation returns a pass result. If no match is found, SPF evaluation continues with the remaining mechanisms in the record.<\/p>\n\n\n\n
The include: mechanism does not copy or merge another SPF record into the current one. Instead, it instructs the receiving mail server to recursively evaluate the referenced SPF policy during authentication.<\/p>\n\n\n\n
How the SPF Include Mechanism Works Step by Step<\/h2>\n\n\n\n
When a receiving mail server processes an SPF record, it evaluates every mechanism in sequence to determine whether the sending IP address is authorized to send mail for the domain. If the record contains one or more include: statements, the server must recursively query additional SPF records as part of the evaluation process. This lookup chain continues until SPF returns a final authentication result or reaches the lookup limit defined in RFC 7208.<\/p>\n\n\n
![\"How](\"https:\/\/easydmarc.com\/blog\/wp-content\/uploads\/2026\/06\/infographic_1-1-576x1024.jpeg\")
<\/figure>\n<\/div>\n\n\n1. A receiving mail server initiates an SPF check<\/h3>\n\n\n\n
When an email message is received, the destination mail server starts SPF evaluation by retrieving the sender domain\u2019s SPF record from DNS.<\/p>\n\n\n\n
For example:<\/p>\n\n\n\n
v=spf1 include:_spf.examplevendor.com ip4:192.0.2.10 ~all<\/p>\n\n\n\n
The server evaluates each mechanism in sequence to determine whether the sending IP address is authorized to send mail for the domain.<\/p>\n\n\n\n
2. The server encounters an include: mechanism<\/h3>\n\n\n\n
When the SPF evaluator reaches an include: statement, it performs an additional lookup against the referenced domain\u2019s SPF record.<\/p>\n\n\n\n
For example:<\/p>\n\n\n\n
include:_spf.examplevendor.com<\/p>\n\n\n\n
This tells the receiving server to retrieve and evaluate the SPF policy published by _spf.examplevendor.com.<\/p>\n\n\n\n
3. The referenced SPF record is evaluated<\/h3>\n\n\n\n
The receiving server checks whether the sending IP address matches any authorized mechanism inside the included SPF record.<\/p>\n\n\n\n
Example referenced record:<\/p>\n\n\n\n
v=spf1 ip4:198.51.100.0\/24 include:_spf.mailprovider.net -all<\/p>\n\n\n\n
If the sending IP matches one of the authorized ranges or mechanisms, the include evaluation returns a pass.<\/p>\n\n\n\n
If the sending IP does not match, SPF processing continues with the remaining mechanisms in the original SPF record.<\/p>\n\n\n\n
4. Nested include: statements trigger additional lookups<\/h3>\n\n\n\n
Included SPF records can contain their own include: mechanisms. This creates a recursive DNS lookup chain during SPF evaluation.<\/p>\n\n\n\n
Example:<\/p>\n\n\n\n
v=spf1 include:_spf.vendor-a.com include:_spf.vendor-b.com ~all<\/p>\n\n\n\n
If either referenced record contains additional nested includes, the receiving server must continue querying those domains as part of SPF processing.<\/p>\n\n\n\n
Each include: mechanism counts toward the SPF DNS lookup limit defined in RFC 7208.<\/p>\n\n\n\n
5. SPF evaluation stops after a final result<\/h3>\n\n\n\n
SPF evaluation ends when a mechanism produces a final result or when processing returns an error, such as PermError.<\/p>\n\n\n
![\"free](\"https:\/\/easydmarc.com\/blog\/wp-content\/uploads\/2026\/03\/Frame-1686560626-1-1024x257.jpg\")
<\/a><\/figure>\n<\/div>\n\n\nWhen to Use Include in an SPF Record<\/h2>\n\n\n\n
Organizations use the include: mechanism when multiple third-party platforms send email on behalf of the same domain. This commonly includes email marketing providers, CRMs, customer support platforms, ticketing systems, cloud communication services, and internal business applications.<\/p>\n\n\n\n
Instead of manually maintaining large lists of IP addresses, administrators can reference the SPF policies published by those providers directly within their own SPF record. This allows authorized sending infrastructure to stay aligned with the provider\u2019s published SPF configuration as their infrastructure changes over time.<\/p>\n\n\n\n
A typical enterprise SPF record may include several authorized sending sources simultaneously:<\/p>\n\n\n\n
v=spf1 include:_spf.google.com include:spf.protection.outlook.com include:servers.mcsv.net ~all<\/p>\n\n\n\n
In multi-sender environments, SPF configuration becomes an operational governance task rather than a one-time DNS update. Each additional sender increases SPF evaluation complexity and contributes to the total DNS lookup count.<\/p>\n\n\n\n
Before adding a new include: statement, administrators should review the existing SPF record structure, nested lookup depth, and overall lookup usage to avoid authentication failures caused by exceeding SPF processing limits.<\/p>\n\n\n\n
Platforms such as EasyDMARC help surface observed sending sources from aggregate DMARC reporting data, so administrators can compare active mail sources against their SPF configuration.<\/p>\n\n\n\n
SPF Record Multiple Include: Managing More Than One Sending Source<\/h2>\n\n\n\n![\"mechanisms](\"https:\/\/easydmarc.com\/blog\/wp-content\/uploads\/2026\/06\/infographic_2-1-1-1024x683.jpeg\")
<\/figure>\n<\/div>\n\n\nMost enterprise SPF records contain multiple include: statements because organizations rely on several platforms to send email from the same domain. Marketing automation systems, cloud email providers, customer support platforms, and transactional email services often all require SPF authorization simultaneously.<\/p>\n\n\n\n
Example:<\/p>\n\n\n\n
v=spf1 include:_spf.google.com include:spf.protection.outlook.com include:servers.mcsv.net include:sendgrid.net ~all<\/p>\n\n\n\n
Each include: is a mechanism that triggers at least one DNS lookup during SPF evaluation. In many cases, SPF records include additional nested includes, redirects, or DNS-resolving mechanisms that increase the total lookup count further.<\/p>\n\n\n\n
RFC 7208 enforces a hard limit of 10 DNS-resolving mechanisms during SPF processing. This includes:<\/p>\n\n\n\n
\n- include<\/li>\n\n\n\n
- a<\/li>\n\n\n\n
- mx<\/li>\n\n\n\n
- ptr<\/li>\n\n\n\n
- exists<\/li>\n\n\n\n
- redirect<\/li>\n<\/ul>\n\n\n\n
If SPF evaluation exceeds this limit, the receiving mail server returns a PermError result. Depending on the recipient infrastructure and mail policy enforcement, legitimate email may fail SPF authentication as a result.<\/p>\n\n\n\n
This is not an uncommon edge case in modern email environments. Organizations frequently accumulate additional sending services over time without restructuring existing SPF policies, which can create deeply nested SPF lookup chains.<\/p>\n\n\n\n
Administrators managing complex SPF records should regularly audit all active sending sources, remove unused include chains, and validate lookup depth before onboarding additional email platforms.<\/p>\n\n\n
\n![\"Need](\"https:\/\/easydmarc.com\/blog\/wp-content\/uploads\/2026\/05\/Frame-1686560624-1024x256.jpg\")
<\/a><\/figure>\n<\/div>\n\n\nSPF PermError and the Invalid include: Mechanism Warning<\/h2>\n\n\n\n
In SPF evaluation, a PermError indicates that the receiving mail server encountered a permanent error while processing the SPF record. One common example is an SPF PermError<\/a> triggered by an invalid or unresolvable include: mechanism.<\/p>\n\n\n\nThis error typically appears when an include: statement references a domain that:<\/p>\n\n\n\n
\n- does not exist<\/li>\n\n\n\n
- has no valid SPF record<\/li>\n\n\n\n
- contains invalid SPF syntax<\/li>\n\n\n\n
- publishes a malformed SPF policy<\/li>\n<\/ul>\n\n\n\n
Example:<\/p>\n\n\n\n
v=spf1 include:invalid-domain.example ~all<\/p>\n\n\n\n
In this scenario, the receiving server cannot successfully evaluate the referenced SPF policy, which causes SPF processing to return a permanent error.<\/p>\n\n\n\n
This issue is different from the PermError triggered by exceeding the 10 DNS lookup limit. The lookup-limit error occurs during SPF recursion depth evaluation, while this type of PermError is usually tied to invalid SPF syntax or broken include targets.<\/p>\n\n\n\n
Before publishing SPF changes, administrators should validate every referenced include: domain to confirm that the target SPF record exists and can be resolved correctly.<\/p>\n\n\n\n
Using an SPF checker helps identify invalid include chains, syntax issues, and SPF evaluation errors before deployment.<\/p>\n\n\n\n
How EasyDMARC Helps You Manage SPF Include at Scale<\/h2>\n\n\n\n
Managing SPF includes chains across multiple business systems becomes increasingly difficult as organizations add new sending sources over time. Marketing platforms, internal applications, cloud email providers, and support tools can all contribute to SPF complexity and DNS lookup growth.<\/p>\n\n\n\n
EasyDMARC provides visibility into how these sending sources interact with SPF authentication policies. The platform analyzes aggregate DMARC reporting data to surface active sending services associated with a domain. Administrators can then compare observed sending sources against their SPF configuration to identify gaps or unauthorized senders.<\/p>\n\n\n\n
The dashboard displays observed sending sources and SPF alignment results from aggregate DMARC report data.<\/p>\n\n\n\n
EasyDMARC also provides tools that support SPF configuration review and validation workflows:<\/p>\n\n\n\n
\n- SPF Lookup<\/a> helps validate SPF records, inspect include chains, and identify syntax or lookup-related issues.<\/li>\n\n\n\n
- SPF Record Generator<\/a> helps administrators build and structure SPF records for multiple authorized sending sources.<\/li>\n<\/ul>\n\n\n\n
For organizations managing complex email ecosystems, the platform provides centralized reporting and configuration visibility that supports ongoing SPF governance and maintenance.<\/p>\n\n\n
<\/figure>\n<\/div>\n\n\nMost enterprise SPF records contain multiple include: statements because organizations rely on several platforms to send email from the same domain. Marketing automation systems, cloud email providers, customer support platforms, and transactional email services often all require SPF authorization simultaneously.<\/p>\n\n\n\n
Example:<\/p>\n\n\n\n
v=spf1 include:_spf.google.com include:spf.protection.outlook.com include:servers.mcsv.net include:sendgrid.net ~all<\/p>\n\n\n\n
Each include: is a mechanism that triggers at least one DNS lookup during SPF evaluation. In many cases, SPF records include additional nested includes, redirects, or DNS-resolving mechanisms that increase the total lookup count further.<\/p>\n\n\n\n
RFC 7208 enforces a hard limit of 10 DNS-resolving mechanisms during SPF processing. This includes:<\/p>\n\n\n\n
- \n
- include<\/li>\n\n\n\n
- a<\/li>\n\n\n\n
- mx<\/li>\n\n\n\n
- ptr<\/li>\n\n\n\n
- exists<\/li>\n\n\n\n
- redirect<\/li>\n<\/ul>\n\n\n\n
If SPF evaluation exceeds this limit, the receiving mail server returns a PermError result. Depending on the recipient infrastructure and mail policy enforcement, legitimate email may fail SPF authentication as a result.<\/p>\n\n\n\n
This is not an uncommon edge case in modern email environments. Organizations frequently accumulate additional sending services over time without restructuring existing SPF policies, which can create deeply nested SPF lookup chains.<\/p>\n\n\n\n
Administrators managing complex SPF records should regularly audit all active sending sources, remove unused include chains, and validate lookup depth before onboarding additional email platforms.<\/p>\n\n\n
\n<\/a><\/figure>\n<\/div>\n\n\nSPF PermError and the Invalid include: Mechanism Warning<\/h2>\n\n\n\n
In SPF evaluation, a PermError indicates that the receiving mail server encountered a permanent error while processing the SPF record. One common example is an SPF PermError<\/a> triggered by an invalid or unresolvable include: mechanism.<\/p>\n\n\n\n
This error typically appears when an include: statement references a domain that:<\/p>\n\n\n\n
- \n
- does not exist<\/li>\n\n\n\n
- has no valid SPF record<\/li>\n\n\n\n
- contains invalid SPF syntax<\/li>\n\n\n\n
- publishes a malformed SPF policy<\/li>\n<\/ul>\n\n\n\n
Example:<\/p>\n\n\n\n
v=spf1 include:invalid-domain.example ~all<\/p>\n\n\n\n
In this scenario, the receiving server cannot successfully evaluate the referenced SPF policy, which causes SPF processing to return a permanent error.<\/p>\n\n\n\n
This issue is different from the PermError triggered by exceeding the 10 DNS lookup limit. The lookup-limit error occurs during SPF recursion depth evaluation, while this type of PermError is usually tied to invalid SPF syntax or broken include targets.<\/p>\n\n\n\n
Before publishing SPF changes, administrators should validate every referenced include: domain to confirm that the target SPF record exists and can be resolved correctly.<\/p>\n\n\n\n
Using an SPF checker helps identify invalid include chains, syntax issues, and SPF evaluation errors before deployment.<\/p>\n\n\n\n
How EasyDMARC Helps You Manage SPF Include at Scale<\/h2>\n\n\n\n
Managing SPF includes chains across multiple business systems becomes increasingly difficult as organizations add new sending sources over time. Marketing platforms, internal applications, cloud email providers, and support tools can all contribute to SPF complexity and DNS lookup growth.<\/p>\n\n\n\n
EasyDMARC provides visibility into how these sending sources interact with SPF authentication policies. The platform analyzes aggregate DMARC reporting data to surface active sending services associated with a domain. Administrators can then compare observed sending sources against their SPF configuration to identify gaps or unauthorized senders.<\/p>\n\n\n\n
The dashboard displays observed sending sources and SPF alignment results from aggregate DMARC report data.<\/p>\n\n\n\n
EasyDMARC also provides tools that support SPF configuration review and validation workflows:<\/p>\n\n\n\n
- \n
- SPF Lookup<\/a> helps validate SPF records, inspect include chains, and identify syntax or lookup-related issues.<\/li>\n\n\n\n
- SPF Record Generator<\/a> helps administrators build and structure SPF records for multiple authorized sending sources.<\/li>\n<\/ul>\n\n\n\n
For organizations managing complex email ecosystems, the platform provides centralized reporting and configuration visibility that supports ongoing SPF governance and maintenance.<\/p>\n\n\n
- SPF Record Generator<\/a> helps administrators build and structure SPF records for multiple authorized sending sources.<\/li>\n<\/ul>\n\n\n\n
- SPF Lookup<\/a> helps validate SPF records, inspect include chains, and identify syntax or lookup-related issues.<\/li>\n\n\n\n
![\"Try](\"https:\/\/easydmarc.com\/blog\/wp-content\/uploads\/2026\/05\/Frame-1686560623-1-1-1024x257.jpg\")
<\/a><\/figure>\n<\/div>\n\n\n