Why should ESP SPF include recommendations be avoided on corporate domains?

Email marketer from SparkPost answers that blindly including ESP SPF records can pose a security risk. If the ESP's infrastructure is compromised, your domain's reputation could be affected. Using a subdomain limits the blast radius and provides a degree of isolation.

Email marketer from Mailjet shares that including an ESP's SPF record directly into your corporate domain can create future maintenance headaches. If you switch ESPs, you must remember to update your SPF record to avoid deliverability issues. It's better to use a dedicated subdomain for email sending and delegate SPF control to the ESP.

Marketer from Email Geeks states that advising the SPF include should be added to the SPF record of the organizational domain is common and still present in official documentation for many ESPs. He explains that it’s not necessarily harmful but it is DNS overhead, and SPF records can easily go past the 10 allowed DNS lookups.

Email marketer from SendPulse advises that if the ESP has deliverability issues in the future or their IPs get blocklisted. If their entire SPF is included it could directly affect deliverability of your main domain. Using a subdomain mitigates this problem.

Email marketer from Proofpoint explains that if other clients on a shared ESP are sending abusive or spam emails and your corporate domain is including the ESPs SPF record then your email campaigns may be affected. Using a subdomain isolates this risk.

Email marketer from EasyDMARC notes that including an ESP can create a large SPF record and therefore could be a good use case for SPF flattening.

Email marketer from EmailGeek Forum says it's generally safer to segregate your email marketing from your transactional emails by using different subdomains and SPF records. This keeps things separate and makes it easier to manage deliverability issues.

Email marketer from Reddit shares that putting an ESP's SPF record on your main domain can hurt your sender reputation if that ESP has issues with spam or blacklisting. It's safer to isolate your reputation by using a dedicated subdomain.

Email marketer from MailerSend responds that if the ESP's IPs are changed or updated and this is not reflected in your corporate domains SPF record then this can cause SPF validation failures.

Email marketer from GlockApps details that if your SPF record is not set up correctly and an ESP includes is added incorrectly it will impact deliverability.

Marketer from Email Geeks praises Mailchimp for removing the SPF include in their "Authentication" process, noting it as a positive change.

Email marketer from AuthSMTP explains how to manage SPF records so as not to breach the 10 DNS lookup limitation, where possible avoid using include statements.

Expert from Word to the Wise highlights the RFC's indicate that the maximum length of a txt record is 255 characters. To avoid problems with older systems it is best to keep the SPF record under this limit.

Expert from Email Geeks expresses concern over ESP support sites providing incorrect SPF recommendations, specifically advising customers to add `include:spf.esp.example` to their corporate domain. She argues this is wrong.

Expert from Spam Resource notes the best option is to have a reverse DNS match to the sending domain for best deliverability, and if you include someone else's server, you will not get a match.

Expert from Word to the Wise notes it's best to keep things separate. Create subdomains for each type of mail, and delegate the control of the DNS records to that subdomain.

Expert from Email Geeks advises that if clients already have SPF records for the 5322.from (sending domain) and are not experiencing rejections, no changes are necessary. She states this is a "don’t fix a problem that doesn’t exist" situation.

Expert from Email Geeks explains that SPF verifies the 5321.from address (bounce address). When using an ESP, the corporate domain should NOT be in the bounce address. A subdomain pointing to the ESP should be used, and that subdomain should have the SPF record, not the corporate domain.

Expert from Spam Resource explains that using the `include` mechanism can quickly reach the SPF DNS lookup limit.

Documentation from DMARC.org details that organizations should maintain control over their domain's SPF records. Giving ESPs direct control through `include:` mechanisms can make it difficult to enforce consistent authentication policies across all email streams, impacting DMARC compliance.

Documentation from Cloudflare details that `include:` mechanisms are susceptible to changes at the referenced domain. It can add management and DNS lookup overhead, and may lead to DNS lookup limits being reached.

Documentation from Microsoft explains that incorrect SPF record syntax, often caused by misconfigured `include:` statements, can lead to SPF failures. These failures can result in email being marked as spam or rejected outright. Careful management of SPF records is essential.

Documentation from RFC7208 explains that if the number of mechanisms or modifiers that cause DNS lookups exceeds 10, the SPF evaluation MUST return 'permerror'.

Documentation from Google Workspace Admin Help explains that SPF has a limit of 10 DNS lookups. Using `include:` mechanisms can quickly exhaust this limit, potentially causing SPF failures and impacting email deliverability. Avoiding unnecessary includes, such as generic ESP includes on the primary domain, is crucial to stay within the limit.