Purpose of a and include keywords in SPF
Let me break it down, segment by segment:
-
v=spf1: SPF version 1 (v=version) -
a: Originates from an email server (IP) that has a corresponding A record on the domain in question. -
ptr: This is deprecated, and should not be used - see https://www.rfc-editor.org/rfc/rfc7208#section-5.5 -
ip4:46.16.60.0/23: originates from an email server within CIDR range specificed. -
a:cdmon.com: originates from an email server (IP) that has a corresponding A record on the specified zone (cdmon.com). -
include:srv.cat: includes the SPF record from the specified zone/record. -
~all: this instructs email servers to 'softfail' if SPF does not pass (a condition specified is not met)
-
"a" keyword: This adds the IP addresses which are the A- or AAAA-Record of the same Domain. See also the RFC on the "a" mechanism: https://www.rfc-editor.org/rfc/rfc7208#section-5.3
This mechanism matches if
<ip>is one of the 's IP addresses. For clarity, this means the "a" mechanism also matches AAAA records. -
include keyword: This includes the SPF record of the specified domain. The RFC says for this:
The "include" mechanism triggers a recursive evaluation of
check_host().-
The is expanded as per Section 7.
-
check_host() is evaluated with the resulting string as the . The and arguments remain the same as in the current evaluation of check_host().
-
The recursive evaluation returns match, not-match, or an error.
-
If it returns match, then the appropriate result for the "include" mechanism is used (e.g., include or +include produces a "pass" result and -include produces "fail").
-
If it returns not-match or an error, the parent check_host() resumes processing as per the table below, with the previous value of restored.
[...]
The "include" mechanism makes it possible for one domain to designate multiple administratively independent domains. For example, a vanity domain "example.net" might send mail using the servers of administratively independent domains example.com and example.org.
-