The SPF Chain of Fools

Dear SPF users:

SPF is a good idea. SPF allows you to prevent unauthorized computers from impersonating your domain. In market-speak, it allows you to "protect your brand". So, why are you messing this up so badly?

PGP has the concept of the "Chain of Trust". SPF seems to have a concept more like "Chain of Fools". Please don't join the chain.

First, your SPF rule must, you know, actually be an SPF rule. There is a canonical checker, linked to from Use it. Scott Kitterman's SPF Validator

If you include another rule, you are responsible for checking it before you make the include, and periodically afterwards.

This also means that you need to monitor your record and make sure that not only are all includes are correct, but that they actually, you know, exist.

Also check that one of your includes does not refer to a redirect: record. Redirects cost a precious DNS lookup, just include: the target of the redirection into your rule.

If your rule does not end in -all, you are doing it wrong. Either you know the set of servers allowed to send email from your domain and you should be blocking everyone else. Or you don't. If you don't, then don't use SPF. In particular, ~all is an abomination. You are forcing everyone else to do more work to handle your email and then giving a wishy-washy authorization to mark mail coming from other sources as a bit more likely to be spam. This is not "defending your brand". It is just causing irritation.

Oh, and ?all. The stupid, it burns!

Another abomination. Why are you including or Do you really think that there is no one who has the mad technical skills to get a account? Do you really mean that anyone who has a google account is allowed to send email coming from you? If you are using google or outlook, you shouldn't be using SPF. It is that simple, you have already abdicated your ability to control your domain. Just remove the damned SPF record. As a side note, SPF's RFC requires that a Permanent Error be raised if more than 10 domain lookups are required to process an SPF rule. requires 8 lookups to process. Most people who include: have automatically prevented their email from being received!

include: is a double abomination. It just redirects to You have burned a DNS lookup for no reason at all. Just include: if you still think that it is a good idea that anyone with a google account can "be you".

And please, if you get a report that your SPF rule is causing a Permanent Error, go to the Kitterman site linked above and check it yourself. Read the RFC. Then fix your rule. If you don't understand what is wrong, I will be glad to help. Email to jpenny @

Thats it. If you can, please use SPF. If you can't, then please don't. And you can't if you don't know the email servers authorized to send email for you, if you use outsourced email servers who publish incorrect rules, or if you use public email systems.