SPF Include Chains
How nested SPF includes work, why they consume multiple DNS lookups, and strategies for managing complex multi-ESP email setups.
What Are SPF Include Chains?
An SPF include chain occurs when one SPF record references another using the include: mechanism, and that referenced record contains its own include: statements. This creates a chain (or tree) of DNS lookups.
Simple Example:
v=spf1 include:_spf.google.com -all1 include statement (but not just 1 lookup!)
v=spf1 include:_netblocks.google.com include:_netblocks2.google.com include:_netblocks3.google.com ~allGoogle's record has 3 nested includes!
Total Lookups: 1 (your include) + 3 (Google's nested includes) = 4 DNS lookups from a single include!
When you add include:_spf.google.com, you're not consuming 1 lookup—you're consuming however many lookups Google's SPF record uses (currently 3-4).
How Include Chains Work: DNS Resolution Process
When a mail server checks your SPF record, it follows the include chain recursively:
Step-by-Step Resolution:
TXT lookup: example.comReturns: v=spf1 include:_spf.google.com -all
TXT lookup: _spf.google.comReturns: v=spf1 include:_netblocks.google.com include:_netblocks2.google.com ...
TXT lookup: _netblocks.google.comTXT lookup: _netblocks2.google.comTXT lookup: _netblocks3.google.comEach nested include = additional lookup
Combine IP ranges from all included records into a single authorized sender list
Common ESP Include Chains & Their Lookup Costs
Different email service providers have different include chain depths. Here's what popular ESPs actually consume:
Google Workspace
3include:_spf.google.comMicrosoft 365
2include:spf.protection.outlook.comSendGrid
1include:sendgrid.netSalesforce
3include:_spf.salesforce.comMailchimp
1include:servers.mcsv.netZendesk
1include:mail.zendesk.comESPs can modify their SPF records anytime. Always verify current lookup counts with an SPF checker before making changes.
Calculating Total Lookups in Complex Chains
Here's how to calculate your total lookup count when using multiple ESPs:
Example: Multi-ESP Setup
v=spf1 include:_spf.google.com include:sendgrid.net include:servers.mcsv.net mx -all✓ Under the 10 lookup limit with 4 lookups to spare
Strategies for Managing Include Chains
Choose ESPs with Shallow Include Chains
When selecting email service providers, prefer those with fewer nested includes.
- • SendGrid
- • Mailchimp
- • Postmark
- • Zendesk
- • Google Workspace (3)
- • Salesforce (3)
- • Microsoft 365 (2)
Use Subdomains for High-Lookup ESPs
Offload heavy include chains to separate subdomains.
example.com → v=spf1 include:sendgrid.net -allOnly 1 lookup
marketing.example.com → v=spf1 include:_spf.salesforce.com -all3 lookups (isolated)
Monitor ESP SPF Changes
ESPs can change their SPF records anytime, potentially adding nested includes.
- •Check SPF lookup count monthly
- •Subscribe to ESP change notifications
- •Use monitoring tools to track DNS changes
Consolidate Through SMTP Relay
Route all email through a single ESP to minimize includes.
Instead of adding includes for every service, configure third-party apps to send via your primary ESP:
Result: Only 1 include instead of 4+
Best Practices
✓ Do
- → Test lookup count before deployment
- → Document which ESPs use nested includes
- → Leave 2-3 lookups of headroom
- → Prefer ESPs with shallow include chains
- → Use subdomains for complex setups
✗ Don't
- → Assume 1 include = 1 lookup
- → Add includes without checking depth
- → Max out at exactly 10 lookups
- → Forget to recheck after ESP changes
- → Mix too many high-lookup ESPs