Looking at the hypothetical scenario with 4 domains and their following SPF records:
Domain: example.com SPF record: v=spf1 include:otherdomain.com ~all
Domain: otherdomain.com SPF record: v=spf1 a include:thirddomain.com ~all
Domain: thirddomain.com SPF record: v=spf1 ip4:1.2.3.4 include:unsecuredomain.com ~all
Domain: unsecuredomain.com SPF record: v=spf1 +all
Questions: Can anyone, unsecuredomain.com, or thirddomain.com send email on behalf of example.com? Can anyone send emails on behalf of thirddomain.com?
Thank you all
I know what you're worrying about, but it's OK: included domains' all
policies do not create a back-door into your own SPF policy.
otherdomain.com
can send for example.com
from wherever its A
records point, and also from thirddomain.com
's literal IP.thirddomain.com
can send for example.com
from its literal IP only.unsecuredomain.com
can't send for example.com
at all.example.com
's ~all
default mechanism.It's clarified in RFC7208 section 5.2:
For example, evaluating a "-all" directive in the referenced record does not terminate the overall processing and does not necessarily result in an overall "fail".
and
With the "include" mechanism, an administratively external set of hosts can be authorized, but determination of sender policy is still a function of the original domain's SPF record (as determined by the "all" mechanism in that record).
In short, only the all
mechanism for your own record is used.