Is possible to use keywords a, mx and include together in SPF?
Yes, you can all those keywords combined, just make sure you don't hit the lookup limit of at maximum 10 address records lookups: https://www.rfc-editor.org/rfc/rfc7208#section-4.6.4
- The a and ptr keywords result in one lookup
- the ptr keyword is deprecated and should not be used anymore
- the mx keyword results in as many lookups as the MX record returns domains
- the
include
keywords includes the referenced SPF record, which is:
$ dig srv.cat TXT +short
"v=spf1 a a:include"
Whereas a:include
leads to an error as the domain include
does not exist.
It is technically possible to mix any mechanisms, but anything other than the ip4
and ip6
mechanisms will cause additional DNS lookups, and there is the overall limit of 10 DNS queries (RFC 7208, 4.6.4). Every a
causes one additional lookup and every mx
several, depending on the amount of MX servers behind it. Also, an include
might have chained mechanism that are also counted to the limit.
You should carefully think which servers really send email from the domain as an envelope sender and limit your SPF record to only contain the required servers. As your SPF record is now put together it seems you do not have this knowledge and try and add everything "just in case". The policy ends with ~all
, which makes everything else only softfail. This does not prevent abuse efficiently; consider using -all
, instead.
Also, do not use ptr
(RFC 7208, 5.5):
Note: This mechanism is slow, it is not as reliable as other mechanisms in cases of DNS errors, and it places a large burden on the .arpa name servers. If used, proper PTR records have to be in place for the domain's hosts and the
ptr
mechanism SHOULD be one of the last mechanisms checked. After many years of SPF deployment experience, it has been concluded that it is unnecessary and more reliable alternatives should be used instead. It is, however, still in use as part of the SPF protocol, so compliantcheck_host()
implementations MUST support it.