227

I am looking to setup a TXT spf record that has 2 included domains... individually:

v=spf1 include:_spf.google.com ~all

and

v=spf1 include:otherdomain.com ~all

What is the proper way of combining them into a single item?

tgriesser
  • 2,662
  • 2
  • 16
  • 10

3 Answers3

338

v=spf1 include:_spf.google.com include:otherdomain.com ~all

There's no restriction against including multiple names in a single entry; Hotmail, for instance, takes this to extremes. Note that multiple includes, or nested ones, need to stay under the limit of 10 total DNS lookups for the whole SPF check.

Shane Madden
  • 112,982
  • 12
  • 174
  • 248
  • 11
    [RFC 4408 §10.1](http://tools.ietf.org/html/rfc4408.html#section-10.1): *SPF implementations MUST limit the number of mechanisms and modifiers that do DNS lookups to at most 10 per SPF check, including any lookups caused by the use of the "include" mechanism or the "redirect" modifier.* – mr.spuratic Feb 26 '14 at 10:48
  • 2
    @mr.spuratic Good point - that was poor wording, as I was trying to say "you can do greater than one." Edited. – Shane Madden Feb 26 '14 at 17:49
  • 3
    Do you have to use the word include each time? Would this be a valid format? (minus the fake domain and internal address space) "v=spf1 include:www.domain.com ip4:10.10.10.0/24 ip4:10.10.100.0/24 a -all" I checked it against http://www.kitterman.com/spf/validate.html and it said it was valid. – k1DBLITZ Feb 03 '15 at 18:20
  • 3
    @k1DBLITZ Yes, that's valid - `include` is just for when you're using records from another domain. – Shane Madden Feb 03 '15 at 18:21
  • can anyone tell me what this ?all mean, sometimes they have this sign ~all – Tanvir Apr 18 '18 at 12:15
  • `+all pass Allow all mail` `-all fail Only allow mail that matches one of the parameters (IPv4, MX, etc) in the record` `~all softfail Allow mail whether or not it matches the parameters in the record` `?all neutral No policy statement` – tvirelli May 18 '18 at 17:19
  • There is also [a limit of 255 characters](https://kb.isc.org/article/AA-00356/0/Can-I-have-a-TXT-or-SPF-record-longer-than-255-characters.html) for an SPF record. – Uwe Keim May 24 '18 at 13:32
0

You can do this with spacing but use a tool to verify the 10 DNS lookup limit has not been breached. You cannot have multiple SPF records either so you may need to be brutal with the shortlist.

As an aside, you do not need a:foo.com if you have include:foo.com in the same string. If this is is a fallacious remark, please comment below.

mckenzm
  • 254
  • 2
  • 7
-1

It look like you can merge both together into one entry. Lenovo.com appears to be an example of this:

v=spf1 include:spf.messagelabs.com include:_netblocks.eloqua.com ~all
JorgeM
  • 231
  • 2
  • 6
user48838
  • 7,393
  • 2
  • 17
  • 14