What are the best practices and considerations for using SPF record redirects?

Summary

SPF redirects offer simplified SPF record management by delegating authority to another domain, aiding in scenarios with shared sending infrastructure and easing administrative burdens. However, the 10 DNS lookup limit, to which redirects contribute, is a critical concern, potentially leading to authentication failures if exceeded. Documentation and experts advise caution, stressing the importance of valid and up-to-date SPF records on the redirected domain, minimizing chained redirects, and using 'include' when appropriate. Proper initial configuration, regular audits, and monitoring of SPF authentication results are essential. It's also highlighted that 'redirect' differs from 'include' and 'CNAME,' influencing SPF resolution differently, and that redirect targets should be controlled domains with carefully configured SPF records. Combining SPF with DKIM is also recommended for optimal email deliverability.

Key findings

  • Simplified Management: SPF redirects simplify management by delegating SPF records.
  • DNS Lookup Limit: Redirects count towards the 10 DNS lookup limit, causing potential authentication issues.
  • Target Domain Importance: A valid SPF record on the redirected domain is critical.
  • Redirection Differences: 'Redirect' differs significantly from 'include' and 'CNAME'.

Key considerations

  • Target Domain Validation: Ensure the redirected domain has a valid SPF record.
  • Minimize Chaining: Reduce chained redirects to avoid the DNS lookup limit.
  • Include vs. Redirect: Consider using 'include' over 'redirect' where applicable.
  • Limit Awareness: Be mindful of the 10 DNS lookup limit.
  • Regular Monitoring: Regularly monitor SPF authentication results.
  • DMARC: Combine SPF with DKIM for strong deliverability, and DMARC compliance.
  • Controlled Domains: Only redirect to domains you control.
  • Proper Syntax: Ensure your SPF syntax is valid.

What email marketers say
12Marketer opinions

SPF redirects can simplify SPF record management by delegating it to another domain, especially useful when multiple domains share infrastructure. However, they introduce complexity and potential deliverability issues. A key concern is the DNS lookup limit of 10, which redirects contribute to. Best practices include ensuring the redirected domain has a valid and up-to-date SPF record, minimizing chained redirects, and using 'include' instead when appropriate. Monitoring SPF authentication results after implementing redirects is crucial. Proper initial setup and regular auditing of SPF records are recommended for maintaining optimal deliverability.

Key opinions

  • Management Simplification: SPF redirects allow for easier management of SPF records when multiple domains use the same mail servers.
  • DNS Lookup Limit: SPF redirects count towards the 10 DNS lookup limit, which can cause authentication failures if exceeded.
  • Authentication Delegation: SPF redirects delegate SPF evaluation to another domain.
  • Deliverability Impact: Misconfigured SPF records, particularly with redirects, can negatively impact email deliverability.

Key considerations

  • Valid Redirect Target: Ensure the redirected domain has a valid and up-to-date SPF record.
  • Minimize Chaining: Minimize chained SPF redirects to avoid exceeding the DNS lookup limit.
  • Use 'Include' When Possible: Consider using 'include' instead of 'redirect' when incorporating other domains' SPF records.
  • Monitor Results: Monitor SPF authentication results regularly after implementing redirects.
  • DNS Lookup Count: Ensure the DNS lookup count is under 10, including SPF redirects, to ensure deliverability.
  • Control of Domain: Ensure you control the redirected domain, and are able to control the SPF records.
  • DMARC Compliance: Ensure SPF and DKIM are properly aligned to DMARC to assist with deliverability.
Marketer view

Email marketer from EasyDMARC shares that SPF redirects, using the 'redirect=' mechanism, allow a domain to delegate its SPF record to another domain. This is useful when multiple domains use the same mail servers. However, EasyDMARC recommends being cautious as excessive redirects can cause SPF validation to fail due to DNS lookup limits. They advise monitoring SPF authentication results after implementing redirects.

November 2021 - EasyDMARC
Marketer view

Email marketer from Sendinblue highlights that both SPF and DKIM are crucial for email authentication and deliverability. They recommend implementing both SPF and DKIM, and monitoring their performance regularly. SPF records should be checked for accuracy and compliance with best practices, including avoiding excessive includes and redirects.

April 2023 - Sendinblue
Marketer view

Email marketer from Email Geeks explains that the reason for using a redirect (or include) in an SPF record instead of listing all the IPs is likely due to the administrator wanting to maintain only one record instead of two for easier management, regardless of how frequently the list changes.

July 2023 - Email Geeks
Marketer view

Email marketer from Mailhardener states that setting up SPF correctly from the beginning can save a lot of deliverability headaches in the future. They recommend to start simple, validate and test the SPF records, and only add complexity (such as includes and redirects) when absolutely necessary. Always consider the potential impact on DNS lookup limits.

April 2023 - Mailhardener
Marketer view

Email marketer from dmarcian reiterates the importance of understanding the 10 DNS lookup limit in SPF, including lookups caused by redirects. They suggest regularly auditing SPF records to remove unnecessary includes and redirects, optimizing the records to stay within the lookup limit. This helps prevent SPF failures and improves email deliverability.

July 2021 - dmarcian
Marketer view

Email marketer from EmailOnAcid notes that chaining multiple SPF redirects can quickly exhaust the DNS lookup limit, leading to SPF failures. They recommend minimizing the use of redirects and instead consolidating IP addresses and domains into a single SPF record whenever possible. They also suggest using SPF record testing tools to identify potential issues.

December 2022 - EmailOnAcid
Marketer view

Email marketer from MXToolbox explains that SPF redirects should only point to domains that you control and that have correctly configured SPF records. Redirecting to third-party domains you don't control can pose a security risk and may lead to authentication failures if their SPF records are misconfigured.

May 2024 - MXToolbox
Marketer view

Email marketer from Email Geeks shares a negative aspect of using SPF redirects is that it counts towards the SPF DNS lookup count.

July 2021 - Email Geeks
Marketer view

Email marketer from Reddit shares that while SPF redirects are convenient, they can introduce complexity and potential issues with DNS lookup limits. He suggests carefully planning and testing SPF records with redirects to avoid deliverability problems. It's also a good idea to regularly review the SPF records of redirected domains to ensure they remain valid.

June 2024 - Reddit
Marketer view

Email marketer from Stackoverflow notes that SPF redirects can simplify SPF record management when multiple domains share the same sending infrastructure. However, it is critical to ensure that the redirected domain has a valid and up-to-date SPF record. Failure to do so can result in SPF failures and negatively impact email deliverability.

March 2024 - Stackoverflow
Marketer view

Email marketer from Postmark explains that understanding SPF is essential for good email deliverability. SPF records, especially with redirects, need to be carefully configured and monitored. If an SPF record is not set up correctly, ISPs may flag your emails as spam or reject them outright. Always validate changes and monitor your deliverability.

February 2022 - Postmark
Marketer view

Email marketer from AuthSMTP explains that while both 'include' and 'redirect' are used in SPF records, 'include' is generally preferred for incorporating other domains' SPF records. 'Redirect' should be used when the entire SPF record is delegated to another domain, which is less common. They recommend using 'include' for most cases where external domains need to be authorized.

January 2023 - AuthSMTP

What the experts say
4Expert opinions

Experts agree that SPF record redirects offer a flexible and appropriate alternative to CNAME records for managing outbound mail IPs without interfering with other domain records. However, they emphasize that 'redirect' is distinct from 'include' and 'CNAME', affecting the SPF resolver's internal state differently. A critical consideration is that redirects count towards the SPF DNS lookup limit of 10, necessitating careful planning to avoid authentication failures.

Key opinions

  • Alternative to CNAME: SPF redirects provide a flexible alternative to CNAME records for managing outbound mail IPs.
  • Distinct from Include/CNAME: 'Redirect' operates differently from 'include' and 'CNAME' in terms of SPF resolution.
  • DNS Lookup Count: SPF redirects contribute to the total DNS lookup count, which has a limit of 10.

Key considerations

  • DNS Limit Awareness: Carefully consider the DNS lookup limit when using SPF redirects.
  • Appropriate Use: Understand when a redirect is more appropriate than an include, but typically include is the prefered way.
  • Internal Resolver State: Consider how redirect changes the SPF resolver's internal state.
Expert view

Expert from Email Geeks explains that SPF record redirects allow the referenced domain to manage IPs for outbound mail without using a CNAME, which can interfere with other records on the domain.

August 2023 - Email Geeks
Expert view

Expert from Word to the Wise explains that SPF redirects are indeed counted toward the total DNS lookup count limit of 10. This needs to be carefully considered as part of any SPF record deployment.

June 2021 - Word to the Wise
Expert view

Expert from Email Geeks explains that using 'redirect' in an SPF record is a more appropriate and flexible approach than using a CNAME. There is no negative or positive impact in this particular case.

April 2023 - Email Geeks
Expert view

Expert from Email Geeks clarifies that 'redirect' isn’t exactly the same as 'include' or 'CNAME'. It affects the SPF resolver's internal state, changing the implied domain to the redirect's target. Its error handling differs from 'include', and unlike 'CNAME', it counts towards the ten DNS query limit.

May 2021 - Email Geeks

What the documentation says
4Technical articles

Documentation emphasizes that while SPF redirects are supported, caution is advised. They delegate SPF evaluation to another domain, making the target domain's SPF record critical. Redirects count towards the 10 DNS lookup limit, potentially causing 'PermError' and deliverability issues if exceeded. Correct syntax, thorough testing, and validation are essential for proper functionality.

Key findings

  • Delegated Evaluation: SPF redirects delegate SPF evaluation to another domain.
  • DNS Lookup Impact: Redirects count towards the 10 DNS lookup limit.
  • Potential Authentication Failures: Misconfiguration or overuse can lead to authentication failures.

Key considerations

  • Target Validation: Ensure the target domain has a valid and correctly configured SPF record.
  • Lookup Limit Awareness: Be mindful of the DNS lookup limit and the impact of redirects.
  • Testing and Validation: Thoroughly test and validate SPF records with redirects.
  • Syntax: Ensure you use the correct syntax when specifying the SPF record.
Technical article

Documentation from Microsoft highlights the 10 DNS lookup limit within an SPF record evaluation. Redirects count towards this limit. If the evaluation exceeds 10 DNS lookups, SPF will return a 'PermError' which might cause email deliverability issues. Careful management of SPF records, especially with redirects, is crucial.

March 2022 - Microsoft Learn
Technical article

Documentation from RFC 7208 specifies that the 'redirect' mechanism causes SPF evaluation to restart using the SPF record of the domain specified in the redirect. The result of the evaluation of the redirected domain becomes the result of the current SPF evaluation. It notes that redirects count towards the DNS lookup limit and can impact performance if overused or chained excessively.

February 2023 - RFC Editor
Technical article

Documentation from OpenSPF details the correct syntax for using the 'redirect' mechanism in SPF records. It highlights that the redirect mechanism should point to a valid domain and that the domain should have a valid SPF record. OpenSPF recommends thorough testing and validation of SPF records to ensure proper functionality.

June 2023 - OpenSPF
Technical article

Documentation from Google Workspace Admin Help explains that using the 'redirect' mechanism in SPF records is supported but advises caution. It functions by delegating SPF evaluation to another domain. If the target domain's SPF record passes, the original domain also passes SPF. Misconfiguration can lead to authentication failures. It is recommended to ensure that the target domain has a correctly configured SPF record.

November 2022 - Google Workspace Admin Help