11

Suppose I have a domain (company.com) with an SPF that looks like this:

v=spf1 ip4:70.70.70.70 include:host.marketing.com -all

and "host.marketing.com" looks like this

v=spf1 ip4:8.8.8.8 ~all

What takes precedence for company.com, the "~" or the "-"? Does the tilde in the marketing company's SPF negate all SPF benefit for company.com?

Is this behavior consistent among all SPF parsers?

makerofthings7
  • 8,911
  • 34
  • 121
  • 197

1 Answers1

6

Assuming that all parsers adhere to the RFC4408 specification, the -all from the company.com record applies. The include does not modify the verification process, it merely expands it to include the mechanisms contained in the included record.

If you were to use redirect in place of include, like this for company.com:

v=spf1 ip4:70.70.70.70 redirect:host.marketing.com -all

the ~all would apply, and -all would be discarded in the verification sequence. That is, again, assuming that all parsers adhere to the specification

Mathias R. Jessen
  • 25,161
  • 4
  • 63
  • 95
  • 1
    By my reading, this is verified with the table on page 18 that specifies a recursive check_host result of neutral causes the include mechanism to not match. – Paul Oct 15 '16 at 18:14