What is the difference between a SPF include: and a:?
I have read through the documentation but the difference is still not very clear to me.
My understanding is: 1) include: will allow the IPs listed for the specified domain, and also any additional domains listed in that domain's own SPF records
2) a: simply allows IPs listed for the specified domain
Is that correct?
Answer
Another try at an answer for anyone else trying to put this together, and based on the syntax doc that OP is probably referring to: http://www.openspf.org/SPF_Record_Syntax
My answer is that yes, you seem to have it in mind.
a: Test the IP for a match in the A records for the domain.
include: Fetch the entire SPF record for the domain, evaluate IP against it, and if a PASS is found then that PASS becomes the result of the whole SPF test. If no PASS is found then it's not a fail, but your original/top-level SPF test continues (probably to the -all/~all/?all phase).
Reasons to use "a":
- Because it's more predictable and straightforward.
- Because you haven't set up SPF on the relevant domains.
- Because you don't control those domains and the SPF isn't what you'd want (specifically if it's too lenient in accepting other servers that aren't in it's A records)
Reasons to use "include":
- Because you already trust the SPF of the domain.
- Because the SPF of the domain is complex, and you want to have a single source of truth for don't-repeat-yourself reasons.
Happy to be corrected!