SPF Include Mechanism Explained: How to Authorise Multiple Senders
Understand how the SPF include mechanism works, how to add multiple email senders to your SPF record, and how to avoid the 10-lookup limit.
When you use multiple services to send email — a marketing platform, a CRM, a support tool, transactional email from your app — each one needs to be authorized in your SPF record. The include mechanism is how you do this.
But there's a catch: SPF has a 10-lookup limit, and each include uses at least one of those lookups. Add too many services and your SPF record breaks.
Here's how the include mechanism works and how to manage it.
What the Include Mechanism Does
An SPF record tells receiving email servers which IP addresses are authorized to send email from your domain. The include mechanism lets you reference another domain's SPF record, inheriting all of its authorized senders.
For example:
v=spf1 include:_spf.google.com include:sendgrid.net ~all
This record says:
- Check Google's SPF record — if the sending IP matches, pass
- Check SendGrid's SPF record — if the sending IP matches, pass
- If neither matches, soft fail (
~all)
The include mechanism effectively delegates authorization to the included domain. You're saying "I trust the SPF record at _spf.google.com to define my authorized senders (for the services provided by Google)."
Common Include Values
Each email service provider has a specific include value for their SPF. Here are the most common ones:
| Service | SPF Include Value |
|---|---|
| Google Workspace | include:_spf.google.com |
| Microsoft 365 | include:spf.protection.outlook.com |
| SendGrid | include:sendgrid.net |
| Mailchimp | include:servers.mcsv.net |
| HubSpot | include:spf.hubspot.com |
| Klaviyo | include:_spf.klaviyo.com |
| Brevo (Sendinblue) | include:spf.brevo.com |
| ActiveCampaign | include:emsd1.com |
| Mailgun | include:mailgun.org |
| Amazon SES | include:amazonses.com |
| Zendesk | include:mail.zendesk.com |
| Freshdesk | include:email.freshdesk.com |
| Salesforce | include:_spf.salesforce.com |
| Resend | include:_spf.resend.com |
Always check your service provider's documentation for the current include value. These can change when providers update their infrastructure.
How to Add a New Sender
When you start using a new email service, you need to add its include to your existing SPF record. Do not create a second SPF record — you can only have one per domain.
Before (Google Workspace only)
v=spf1 include:_spf.google.com ~all
After (Adding SendGrid)
v=spf1 include:_spf.google.com include:sendgrid.net ~all
After (Adding HubSpot too)
v=spf1 include:_spf.google.com include:sendgrid.net include:spf.hubspot.com ~all
Each new include goes before the ~all or -all at the end. Check your SPF record after making changes to verify it's valid.
The 10-Lookup Limit
SPF allows a maximum of 10 DNS lookups when evaluating a record. Each include counts as at least one lookup, but the included domain's SPF record may itself contain includes, each adding more lookups.
How Lookups Add Up
| Mechanism | Lookup Count |
|---|---|
| include: | 1 + whatever that record contains |
| a: | 1 |
| mx: | 1 |
| redirect= | 1 |
| ip4: / ip6: | 0 (no lookup needed) |
Google's _spf.google.com alone uses 3–4 lookups because it contains nested includes. Adding 3–4 more services can easily push you past 10.
What Happens at the Limit
When an SPF evaluation exceeds 10 lookups, the result is permerror — a permanent error. Some receiving servers treat this as a fail, others ignore SPF entirely. Either way, it hurts your deliverability.
Check your SPF record — our checker shows the total lookup count and warns if you're approaching the limit.
Monitor your SPF record
Get alerts when your SPF record changes, breaks, or approaches the lookup limit.
How to Stay Under the Limit
Option 1: SPF Flattening
SPF flattening replaces include mechanisms with the actual IP addresses they resolve to. Instead of:
v=spf1 include:_spf.google.com include:sendgrid.net ~all
A flattened record might look like:
v=spf1 ip4:209.85.128.0/17 ip4:74.125.0.0/16 ip4:167.89.0.0/17 ... ~all
ip4: and ip6: mechanisms don't count against the lookup limit. But there are downsides:
- IP addresses change when providers update their infrastructure
- You need to re-flatten regularly (weekly or whenever changes occur)
- Manual flattening is error-prone
Use an SPF flattening tool or service to automate this process.
Option 2: Subdomain Strategy
Instead of sending all email from your root domain, use subdomains:
marketing.yourdomain.com— Marketing emails (Mailchimp, Klaviyo)support.yourdomain.com— Support emails (Zendesk, Freshdesk)mail.yourdomain.com— Business email (Google Workspace)
Each subdomain gets its own SPF record with its own 10-lookup budget. This also isolates reputation — marketing complaints don't affect transactional email delivery.
Option 3: Remove Unused Includes
Audit your SPF record periodically. If you stopped using a service, remove its include. Services you set up years ago and forgot about still consume lookups.
Option 4: Use ip4/ip6 for Static Senders
If a sending service uses a small, stable set of IP addresses, you can list them directly with ip4: instead of using an include:. This works for your own mail servers or dedicated IPs, but not for shared ESP infrastructure where IPs change frequently.
How Include Differs from Other Mechanisms
include vs redirect
redirect= replaces your entire SPF record with another domain's. You can only have one redirect, and it must be the last mechanism. include adds to your record alongside other mechanisms.
Use include when combining multiple senders. Use redirect only when your email is handled entirely by one provider.
include vs a/mx
The a and mx mechanisms authorize IPs from your domain's A or MX records. These are useful for authorizing your own web server or mail server, but they still count as lookups. Most modern SPF records use include for third-party services and ip4 for your own infrastructure.
Troubleshooting Include Issues
"SPF record not found" for included domain
If an included domain's SPF record doesn't exist, the include result is a permanent error. This can happen when:
- You typed the include value incorrectly
- The provider changed their SPF hostname
- The provider's DNS is having issues
Double-check the include value against your provider's current documentation.
Too many lookups
If you're over the limit, identify which includes you can replace with ip4: addresses or move to subdomains. Our SPF checker shows the lookup count for each include, helping you identify which ones are most expensive.
Multiple SPF records
A domain can only have one SPF record. If you see two TXT records starting with v=spf1, merge them into one. Having two SPF records causes unpredictable failures.