SPF Include Mechanism: How It Works and When to Use It
Learn how the SPF include mechanism works, how to use multiple includes in one record, and how each include affects your DNS lookup count.
Last updated: 2026-04-21
If you've looked at an SPF record, you've probably seen the word include in it. The include mechanism is the most common way businesses authorize email services like Google Workspace, Mailchimp, or SendGrid to send email on their behalf. But how does it actually work, and what do you need to know to use it correctly?
This guide breaks down the SPF include mechanism in plain language — what it does, how to use multiple includes, and the pitfalls to avoid. For a broader overview that covers all SPF mechanisms, see our complete SPF guide.
What the Include Mechanism Does
The include mechanism tells receiving mail servers: "Go check this other domain's SPF record too. If the sending server is authorized there, it's authorized for us."
Think of it like a reference. Instead of listing every individual server IP address that Google or Mailchimp uses, you point to their SPF record and say, "Whatever they say is approved, we approve too."
Here's the basic syntax:
v=spf1 include:_spf.google.com ~all
In this example, include:_spf.google.com tells receiving servers to look up the SPF record published at _spf.google.com and evaluate it. If the sending server's IP address matches something in Google's SPF record, the email passes SPF for your domain.
Include is not inheritance
Per RFC 7208, the include mechanism doesn't copy the other domain's SPF record into yours. It triggers a separate DNS lookup and evaluation. If the included record returns a "pass," your record treats it as authorized. If it returns "fail" or "softfail," evaluation continues with the next mechanism in your record.
How Recursive Evaluation Works
When a receiving server processes your SPF record and hits an include, here's what happens step by step:
Server reads your SPF record
The receiving server looks up your domain's SPF record and starts evaluating mechanisms from left to right.
Server encounters the include
When it reaches include:_spf.google.com, it pauses evaluation of your record and performs a new DNS lookup.
Server evaluates the included record
It retrieves the SPF record at _spf.google.com and checks if the sending IP matches any mechanism there. That record may itself contain more includes — each one triggers another lookup.
Result flows back
If the included record returns "pass," your SPF check passes. If it doesn't match, evaluation continues with the next mechanism in your original record.
This recursive process is powerful, but it has an important limitation: every lookup counts toward the 10 DNS lookup limit specified in RFC 7208, Section 4.6.4.
Using Multiple Includes
Most businesses use more than one email service, so you'll need multiple includes in a single SPF record. The syntax is straightforward — just list them one after another:
v=spf1 include:_spf.google.com include:sendgrid.net include:spf.brevo.com ~all
A few rules to remember:
- Order doesn't matter. The server evaluates mechanisms left to right, but the final result is the same regardless of order.
- Keep
v=spf1at the start and theallqualifier at the end. - Never create multiple SPF records. All includes must be in a single TXT record starting with
v=spf1. Having two SPF records causes a PermError.
Common Include Values for Popular Services
Every email service provider publishes their own SPF record that you reference with an include. Here are the correct include values for the most widely used services:
| Service | Include Value | Typical DNS Lookups |
|---|---|---|
| Google Workspace | include:_spf.google.com | 3-4 |
| Microsoft 365 | include:spf.protection.outlook.com | 2-3 |
| SendGrid | include:sendgrid.net | 1-2 |
| Mailchimp (Mandrill) | include:spf.mandrillapp.com | 1-2 |
| Brevo (Sendinblue) | include:spf.brevo.com | 1-2 |
| Amazon SES | include:amazonses.com | 1 |
| HubSpot | include:spf.protection.outlook.com* | 1-2 |
| Salesforce | include:_spf.salesforce.com | 2-3 |
| Zendesk | include:mail.zendesk.com | 1-2 |
*HubSpot's SPF setup depends on whether you use shared or dedicated IPs. Check their current documentation for the exact value.
Each Include Costs DNS Lookups
This is the most important thing to understand about includes: each one costs at least one DNS lookup, and nested includes add more.
When you add include:_spf.google.com, that's one lookup for your record. But Google's SPF record contains additional includes like _netblocks.google.com, _netblocks2.google.com, and _netblocks3.google.com. Each of those is another lookup. So one Google include costs you roughly 3-4 lookups out of your 10-lookup budget.
If you're using three or four email services, those nested lookups add up fast. A record like this:
v=spf1 include:_spf.google.com include:sendgrid.net include:spf.mandrillapp.com include:_spf.salesforce.com ~all
Could easily consume 8-10 lookups, leaving you right at the limit.
Use the checker tool above to see your exact lookup count. If you're approaching the limit, read our guide on the SPF 10 DNS lookup limit for solutions.
When NOT to Use Include
While include is the most common mechanism, it's not always the best choice. There are situations where using ip4 or ip6 mechanisms makes more sense.
Use ip4/ip6 instead of include when:
- You're running out of DNS lookups and need to reduce your count
- The sending service uses a small, stable set of IP addresses
- You operate your own mail server with a known IP address
For example, if you run an on-premise mail server at a fixed IP, using ip4 is simpler and doesn't cost a lookup:
v=spf1 ip4:203.0.113.10 include:_spf.google.com ~all
The ip4 and ip6 mechanisms don't require DNS lookups, so they don't count toward the 10-lookup limit.
Stick with include when:
- The provider manages a large or changing set of IP addresses
- The provider recommends using include in their documentation
For most third-party email services, include is the right choice. The provider maintains their SPF record, and yours stays current automatically.
Troubleshooting Include Issues
"Include domain has no SPF record" — The domain in your include doesn't publish an SPF record. Double-check spelling — even a small typo like spf.google.com instead of _spf.google.com will cause this.
PermError from too many lookups — You've exceeded the 10-lookup limit. Use the checker above to count your lookups and optimize if needed. SPF flattening can help reduce your lookup count.
Emails still failing SPF — Check that you're sending from the right domain. SPF is checked against the envelope sender (Return-Path), not the From header. Some services require you to configure the sending domain in their dashboard.
Building Your SPF Record
If you need to set up or rebuild your record: list all services that send email for your domain, find each service's include value, combine them into a single record (v=spf1 include:... include:... ~all), verify your total lookups are 10 or fewer, and publish as a TXT record. SPF Creator can generate the correct syntax. And don't forget DKIM and DMARC for complete authentication.
References
- RFC 7208: Sender Policy Framework (SPF) — The current SPF specification, including
includemechanism behavior - RFC 7208, Section 4.6.4: DNS Lookup Limits — The 10 DNS lookup limit
Monitor Your SPF Records
Checking once is good. Monitoring continuously is better. The Email Deliverability Suite watches your SPF, DKIM, DMARC, and MX records daily and alerts you when something breaks.
Never miss an SPF issue
Monitor your SPF, DKIM, DMARC and MX records daily. Get alerts when something breaks.
Start Monitoring