SPF Include Explained – How include: Works & Lookup Cost

The include: mechanism lets you reference another domain's SPF record. It's how you authorize an ESP or third-party sender. Each include consumes DNS lookups; here's how it works.

How include: works

When a receiver evaluates your SPF record and hits include:example.com, it looks up the SPF (TXT) record for example.com and evaluates that record as part of yours. The result (pass/fail/neutral) is combined with your other mechanisms. One include usually costs at least one lookup; the included record can add more if it has its own includes or a/mx/ptr.

ESP includes

Email service providers give you a hostname to include, e.g. include:_spf.google.com or include:sendgrid.net. You add that to your record so their sending IPs are authorized. Never guess the value; use the one in their documentation.

Common mistakes

  • Typos in the include domain (wrong hostname or missing subdomain).
  • Adding too many includes and exceeding the 10-lookup limit.
  • Leaving in old includes for providers you no longer use.

Scan my SPF includes

Check your SPF and see how many lookups your includes use. No signup required.

Scan my SPF includesView pricing

FAQ

What does include: do in SPF?

include: pulls in the SPF record of another domain. The receiver looks up that domain's TXT record and evaluates it as part of your policy. Each include typically costs at least one lookup; the included record can add more.

Where do I get the right include for my ESP?

Your ESP (SendGrid, Mailgun, Resend, etc.) documents the exact include: value to add, e.g. include:_spf.sendgrid.net. Use their value; don't invent one.

Can I have multiple includes?

Yes. Many senders have one include per ESP or service. The total number of lookups across all includes (and other mechanisms) must stay under 10.

What if the included domain changes?

You don't change your record; the ESP updates their record. Your include: points to their hostname, so their changes apply automatically. Your lookup count can change if they modify their record.

Related reading

Read-only checks. We don't send email or modify DNS. How we check