What is the difference between a SPF include: and a:?

Question

I have read through the documentation but the difference is still not very clear to me.

My understanding is: 1) include: will allow the IPs listed for the specified domain, and also any additional domains listed in that domain's own SPF records

2) a: simply allows IPs listed for the specified domain

Is that correct?

Answer 1

1) include:other-domain.com just includes SPF records from other-domain.com. If SPF entries of other-domain.com allows some ip's (for example have an ip4: or a: entry), then those ip will be also be allowed.

2) true

Answer 2

Another try at an answer for anyone else trying to put this together, and based on the syntax doc that OP is probably referring to, the open-spf.org "SPF Record Syntax" page.

Note: Previously this document lived at http://www.open-spf.org/SPF_Record_Syntax/, but that domain seems to have gone offline permanently in 2009. More details on the history and missing domain can be found here.

My answer is that yes, you seem to have it in mind.

• a: Test the IP for a match in the A records for the domain.

• include: Fetch the entire SPF record for the domain, evaluate IP against it, and if a PASS is found then that PASS becomes the result of the whole SPF test. If no PASS is found then it's not a fail, but your original/top-level SPF test continues (probably to the -all/~all/?all phase).

Reasons to use "a":

• Because it's more predictable and straightforward.
• Because you haven't set up SPF on the relevant domains.
• Because you don't control those domains and the SPF isn't what you'd want (specifically if it's too lenient in accepting other servers that aren't in it's A records)

Reasons to use "include":

• Because you already trust the SPF of the domain.
• Because the SPF of the domain is complex, and you want to have a single source of truth for don't-repeat-yourself reasons.

Happy to be corrected!