SPF record with REDIRECT and INCLUDE

Question

So I have to make an SPF record for a shared domain - 2 mailsystems, one is Office 365. Normally it looks like this:

“v=spf1 mx include:MAIL_SERVER include:spf.protection.outlook.com ~all”

It's quite straight forward, if it has been configured like this beforehand:

“v=spf1 mx include:MAIL_SERVER ~all"

But I have a different situation, where it is like this:

“v=spf1 mx redirect:_spf.PROVIDERSERVER.COM"

I am not sure, it I can do it like this:

“v=spf1 mx redirect:_spf.PROVIDERSERVER.COM include:spf.protection.outlook.com ~all”

Is it going to work like this? If not, then what should be changed?

Answer 1

The redirect is a modifier rather than a mechanism, and will only be considered after all other mechanisms have been tested. Unlike an include, once a redirect has been navigated it will not return to evaluate further terms, and although your positioning isn't invalid for clarity it should appear as the last term in the record since it will only be evaluated after all the other terms have been tested and passed over. ie its position in the SPF record will not determne its order of processing.

If any alternative mechanism term is satisfied in the record then the processing will stop at that term and return the evaluated condition, this includes any all mechanism that may be present. Therefore you cannot use redirect in combination with all, because the all mechanism will always be tested and satisfied first, and the redirect will never be processed. Of course, any all mechanism in the redirected domain's SPF would still apply if reached, unlike the -all in an include which would be ignored by returning not-matched to the include mechanism call. (Caveat: if a +all is encountered within a traversed include it will return matched, and trigger whichever result has been prepended to that include, usually a default + .)

It's worth noting that any redirected domain's own SPF may contain further redirects, and they would cascade as expected. However each redirect counts towards the lookup count limits.

So in summary you would want to use something like...

“v=spf1 mx include:spf.protection.outlook.com redirect:_spf.PROVIDERSERVER.COM”

Answer 2

I'm not sure on this, but here goes a guess! The docs say that redirect entirely replaces the current record, so I would expect it to ignore all other clauses - but it also evaluates from left to right, so maybe it would do the mx lookup first - you could test that manually.

I'm not sure why you're looking at redirect in the first place.

I suspect you could achieve what you're aiming for with:

"v=spf1 mx include:_spf.PROVIDERSERVER.COM include:spf.protection.outlook.com ~all"