Nov 6, 2017

The "redirect" modifier of Email SPF

The "redirect" modifier of Email SPF

redirect=<domain>
The SPF record for domain replace the current record. The macro-expanded domain is also substituted for the current-domain in those look-ups.

Examples:
In the following example, the client IP is 1.2.3.4 and the current-domain is example.com.
"v=spf1 redirect=example.com"
  • If example.com has no SPF record, that is an error; the result is unknown.
  • Suppose example.com's SPF record was "v=spf1 a -all".
  • Look up the A record for example.com. If it matches 1.2.3.4, return Pass.
  • If there is no match, the exec fails to match, and the -all value is used.

Real example:
$ dig txt aspmx.googlemail.com

;; ANSWER SECTION:
aspmx.googlemail.com. 7199 IN TXT "v=spf1 redirect=_spf.google.com"

$ dig txt _spf.google.com

;; ANSWER SECTION:
_spf.google.com. 299 IN TXT "v=spf1 include:_netblocks.google.com include:_netblocks2.google.com include:_netblocks3.google.com ~all"