--- title: "What Is SPF Redirect? A Complete Explanation | AutoSPF" description: "Learn what SPF Redirect is, how it works, when to use it, and how it simplifies SPF record management while improving email authentication." image: "https://autospf.com/og/blog/what-is-spf-redirect-a-complete-explanation.png" canonical: "https://autospf.com/blog/what-is-spf-redirect-a-complete-explanation/" --- Quick Answer SPF Redirect is an SPF mechanism that points one domain's SPF record to another using the redirect= modifier. It lets domains reuse a single SPF policy, simplifying SPF management while ensuring consistent email authentication across multiple domains. Share [ ](https://www.linkedin.com/sharing/share-offsite/?url=https%3A%2F%2Fautospf.com%2Fblog%2Fwhat-is-spf-redirect-a-complete-explanation%2F "Share on LinkedIn") [ ](https://twitter.com/intent/tweet?text=What%20Is%20SPF%20Redirect%3F%20A%20Complete%20Explanation&url=https%3A%2F%2Fautospf.com%2Fblog%2Fwhat-is-spf-redirect-a-complete-explanation%2F "Share on X/Twitter") [ ](https://www.facebook.com/sharer/sharer.php?u=https%3A%2F%2Fautospf.com%2Fblog%2Fwhat-is-spf-redirect-a-complete-explanation%2F "Share on Facebook") [ ](https://reddit.com/submit?url=https%3A%2F%2Fautospf.com%2Fblog%2Fwhat-is-spf-redirect-a-complete-explanation%2F&title=What%20Is%20SPF%20Redirect%3F%20A%20Complete%20Explanation "Share on Reddit") [ ](mailto:?subject=What%20Is%20SPF%20Redirect%3F%20A%20Complete%20Explanation&body=Check out this article: https%3A%2F%2Fautospf.com%2Fblog%2Fwhat-is-spf-redirect-a-complete-explanation%2F "Share via Email") ![SPF Redirect](https://media.mailhop.org/autospf/dkim-authentication-7502-1782720934151.jpg) An SPF redirect is an SPF modifier that tells an email receiver to use another domain name’s SPF policy when evaluating whether an email sender is authorized to send mail. In practical terms, the redirect modifier lets one SPF record delegate SPF verification to a redirected domain. SPF, defined in RFC7208, allows a domain owner to publish a [DNS TXT record](https://www.cloudflare.com/learning/dns/dns-records/dns-txt-record/) beginning with v=spf1\. That SPF record lists authorized sending sources using an SPF mechanism such as the ip4 mechanism, ip6 mechanism, a mechanism, the mx mechanism, the ptr mechanism, or the include mechanism. A **receiving mail server checks** the SPF record during SPF authentication to determine whether the connecting server is allowed to send for the domain name used in the envelope sender. ### The role of the redirect modifier _The redirect modifier is different from most SPF mechanisms_. It does not directly authorize an IP address or mail server. Instead, the modifier points to another domain name whose SPF record should be used. For example: ``` domain_a.com. TXT "v=spf1 redirect=domain_b.com" ``` In this example, `domain_a.com` does not **define its own sending sources**. Instead, the SPF redirect says: “Use the [SPF record](https://autospf.com/blog/best-practices-for-keeping-spf-record-syntax-short-and-maintainable/) at `domain_b.com`.” If `domain_b.com` authorizes the email sender, then SPF passes for `domain_a.com`. This is useful when multiple domains should follow the same SPF policy. Rather than maintaining duplicate SPF records across every domain name, an organization can centralize the policy in one redirected domain. ![Centralized SPF Architecture](https://media.mailhop.org/autospf/spf-include-4696-1782721298343.jpg) ### How SPF evaluates redirect During mechanism evaluation, the receiving server first **evaluates any mechanisms** in the origin domain’s SPF record. If no mechanism matches and a redirect modifier is present, the email receiver performs a [DNS query](https://uptimerobot.com/knowledge-hub/devops/understanding-dns-queries-a-complete-guide/) for the SPF record of the redirected domain. For example: ``` domain_a.com. TXT "v=spf1 redirect=_spf.mailhardener.com" _spf.mailhardener.com. TXT "v=spf1 ip4:192.0.2.10 include:_spf.mailprovider.com -all" ``` Here, `domain_a.com` delegates SPF validation to `_spf.mailhardener.com`. That redirected domain may then contain an ip4 mechanism, **an include mechanism**, and an all mechanism. The important caveat is that the redirect modifier only applies when no earlier mechanism matches. _If an all mechanism appears before or alongside the redirect in a way that always matches, it can effectively prevent the SPF redirect from being used_. ## SPF Redirect Syntax and DNS Record Examples An SPF redirect is **written as a key/value** SPF modifier using an equal sign: ``` redirect=example.com ``` The syntax uses the modifier name redirect, followed by the equal sign, followed by the modifier value, which is the target domain name. Unlike some [SPF mechanisms](https://autospf.com/blog/spf-mechanism-ordering-sequence-impact-on-deliverability-and-dns-limits/), redirect does not use a colon separator. For example, `include:_spf.mailprovider.com` uses a colon, while `redirect=_spf.mailprovider.com` uses an equal sign. ### Basic redirect syntax A simple SPF record using an **SPF redirect looks** like this: ``` domain_a.com. TXT "v=spf1 redirect=domain_b.com" ``` The redirected domain then publishes the real SPF policy: ``` domain_b.com. TXT "v=spf1 ip4:203.0.113.5 mx -all" ``` In this setup, `domain_a.com` and `domain_b.com` effectively use the **same SPF policy** because SPF verification for `domain_a.com` is redirected to `domain_b.com`. ### Example with Mailhardener and a mail provider A centralized email infrastructure might use a managed SPF record from an [email hardening](https://www.mailhardener.com/kb/email-hardening-guide) platform such as Mailhardener: ``` mailhardener.com. TXT "v=spf1 redirect=_spf.mailhardener.com" _spf.mailhardener.com. TXT "v=spf1 include:_spf.mailprovider.com ip4:198.51.100.25 -all" ``` The redirected domain `_spf.mailhardener.com` contains the actual mechanisms. The include mechanism references `_spf.mailprovider.com`, while the ip4 mechanism authorizes a **specific IP4 sender**. _This arrangement helps with policy consolidation and makes it easier to manage email traffic across a complex email infrastructure_. ### SPF mechanisms inside the redirected domain The redirected SPF record can contain **normal SPF mechanisms**, including: #### A mechanism The a mechanism authorizes the IP address found in the domain’s [DNS A record](https://www.ioriver.io/terms/dns-a-record): ``` v=spf1 a -all ``` This means the sending IP must match the **domain’s A record**. #### MX mechanism The mx mechanism authorizes the mail exchangers listed in the domain’s [MX record](https://www.digicert.com/faq/dns/what-is-an-mx-record): ``` v=spf1 mx -all ``` This means servers **listed in the MX record** may send mail. #### IP4, IP6, and PTR mechanisms An SPF record may also use: ``` v=spf1 ip4:192.0.2.0/24 ip6:2001:db8::/32 -all ``` The ptr mechanism also exists, but RFC 7208 discourages its use because it is slow, unreliable, and can **create extra DNS queries**. ![Redirect vs Include Comparison Flowchart](https://media.mailhop.org/autospf/microsoft-account-security-alert-5682-1782721343534.jpg) ## SPF Redirect vs. SPF Include: Key Differences The SPF redirect and the include mechanism are often confused because both reference another domain name. However, they behave differently and are used for different purposes. ### Redirect delegates the whole policy The redirect modifier says: “If **no local mechanism matches**, evaluate SPF using the other domain’s SPF record.” Example: ``` domain_a.com. TXT "v=spf1 redirect=domain_b.com" ``` This is best when `domain_a.com` should use the same SPF policy as `domain_b.com`. ### Include adds another authorization source The include mechanism says: “Check whether this other **SPF record authorizes** the sender, and if it passes, treat this mechanism as a match.” Example: ``` domain_a.com. TXT "v=spf1 include:_spf.mailprovider.com -all" ``` The include mechanism is commonly used to **authorize third-party senders**, such as [SaaS platforms](https://www.appdirect.com/resources/glossary/saas-platform), CRMs, help desks, or marketing systems. ### Practical difference in mechanism matching _With an include mechanism, SPF continues evaluating the local SPF record based on the result of the included policy_. With an SPF redirect, the receiving server switches to the redirected domain’s SPF policy only after no local mechanism matches. A key difference is that an include mechanism is an SPF mechanism, while redirect is an SPF modifier. In other words, include participates directly in mechanism matching, while the redirect modifier changes where the **final policy evaluation occurs**. ##### Common syntax comparison ``` v=spf1 include:_spf.mailprovider.com -all v=spf1 redirect=_spf.mailprovider.com ``` Notice the colon after include and the equal sign after redirect. ## Common Use Cases for SPF Redirect An SPF redirect is most useful when an organization wants **consistent SPF behavior** across multiple domains. ### Policy sharing across multiple domains If a company owns `domain_a.com`, `domain_b.com`, and several regional domains, it may want all of them to use the same SPF policy. Instead of copying the same SPF record everywhere, each domain can point to a central redirected domain. Example: ``` domain_a.com. TXT "v=spf1 redirect=_spf.example.net" domain_b.com. TXT "v=spf1 redirect=_spf.example.net" ``` This allows policy sharing and **reduces configuration drift**. ### Centralized email infrastructure Large organizations often have distributed email infrastructure: Microsoft 365, Google Workspace, [transactional email](https://www.infobip.com/blog/everything-you-need-to-know-about-transactional-email) APIs, ticketing systems, and [marketing platforms](https://www.indeed.com/career-advice/career-development/what-is-a-marketing-platform). Maintaining every SPF record manually can lead to syntax errors, failed SPF, and delivery issues. Using an SPF redirect allows the **security or infrastructure team** to manage one authoritative SPF record while many domain name entries reference it. ### Managed SPF through an email security provider Some providers, including platforms such as Mailhardener, publish knowledge base guidance and tools for managing SPF, DMARC, and related [email security](http://autospf.com/) standards. A domain might redirect to a managed domain such as `_spf.mailhardener.com`, while the provider handles updates to downstream senders. This **can improve deliverability** and reduce SPF authentication errors when email infrastructure changes. ![SPF Redirect Syntax Rules](https://media.mailhop.org/autospf/what-is-dkim-3986-1782721487024.jpg) ## Best Practices, Limitations, and Troubleshooting Tips The redirect modifier is powerful, but it must be used carefully. _A misconfigured SPF redirect can cause permerror, neutral results, softerror, or outright failed SPF checks_. ### Use redirect only when domains should share the same SPF policy The best use case for an SPF redirect is when the origin domain and redirected domain should follow the same SPF policy. If one domain needs a **slightly different policy**, use an include mechanism instead. For example, if `domain_a.com` and `domain_b.com` truly share the same email infrastructure, redirect is appropriate. If `domain_a.com` uses one additional email sender, then the redirect may be too rigid. ### Avoid combining redirect with an all mechanism Because **all mechanism always matches**, a record like this is problematic: ``` v=spf1 -all redirect=domain_b.com ``` The `-all` mechanism will match before the redirect modifier is meaningful, so the redirect is effectively ignored. In practice, `-all`, `~all`, `?all`, and other qualifier prefix choices should be placed in the actual redirected SPF record, not the origin domain’s redirect-only record. The prefix **determines the result**: - `-all` means fail. - `~all` means softerror or softfail behavior. - `?all` means neutral. - `+all` means pass, but should rarely be used. ### Watch the DNS lookup limit SPF has a [DNS lookup](https://www.ibm.com/think/topics/dns-lookup) limit of 10\. The redirect modifier causes a DNS lookup, and mechanisms such as the include mechanism, a mechanism, mx mechanism, and the ptr mechanism can also trigger DNS queries. If the SPF record exceeds the lookup limit, the **result is usually permerror**. This can cause delivery issues because some receivers treat SPF permerror strictly, especially when DMARC alignment is also involved. ### Validate records before publishing Use an SPF record validator tool to check for: - Multiple SPF records on the same domain name. - Invalid spf1 syntax. - Missing redirected domain records. - Bad modifier value formatting. - Incorrect separator usage. - Invalid **IP4 or IP6 ranges**. - DNS query expansion beyond the lookup limit. Communities such as [Stack Overflow](https://en.wikipedia.org/wiki/Stack%5FOverflow) and Stack Exchange also contain many practical troubleshooting threads, but authoritative references such as RFC7208 and a provider’s knowledge base should be used for final validation. ### Troubleshoot redirect-specific errors When troubleshooting SPF authentication errors, inspect **both the origin domain** and the redirected domain. #### Check the origin domain Confirm the origin domain has only one SPF record: ``` domain_a.com. TXT "v=spf1 redirect=domain_b.com" ``` _If there are multiple SPF TXT records, receivers may return permerror_. ![Mastering SPF Redirect: A Guide to Centralized Email Policy](https://media.mailhop.org/autospf/how-to-set-up-spf-and-dkim-3452-1782721615741.jpg) #### Check the redirected domain Confirm the redirected domain **publishes a valid SPF record**: ``` domain_b.com. TXT "v=spf1 include:_spf.mailprovider.com ip4:203.0.113.10 -all" ``` If the redirected domain has no SPF record, the redirect modifier can fail validation. #### Confirm the email sender is covered Trace the email sender’s connecting IP through every mechanism. Check whether the IP matches an A record, MX record, IP4 range, IP6 range, or included provider policy. If the email **receiver cannot find a match** during mechanism evaluation, the final result depends on the redirected SPF record’s terminal policy, usually -all, \~all, or ?all. Used correctly, SPF redirect is a clean way to centralize SPF policy, reduce duplicated DNS maintenance, and keep email security aligned across a changing email infrastructure. ![Brad Slavin](https://media.mailhop.org/autospf/images/authors/brad-slavin.jpg) [ Brad Slavin ](/authors/brad-slavin/) General Manager Founder and General Manager of DuoCircle. Product strategy and commercial lead for AutoSPF's 2,000+ customer base. [LinkedIn Profile →](https://www.linkedin.com/in/bradslavin) ## Ready to get started? Try AutoSPF free — no credit card required. [ Book a Demo ](/book-a-demo/) ## Related Articles [ Intermediate 6m 10 Reasons Why DIY-ing SPF isn’t a Good Choice for Companies Apr 4, 2024 ](/blog/10-reasons-diy-ing-spf-isnt-good-choice-for-companies/)[ Intermediate 5m The 12.4 billion shield for your email communications: Why DMARC software is the unsung hero in the war against phishing actors! Nov 19, 2025 ](/blog/12-4-billion-dmarc-software-shield-protecting-email-from-phishing-actors/)[ Intermediate 3m 3 points to consider before setting your SPF record to -all (HardFail) May 22, 2025 ](/blog/3-points-to-consider-before-setting-your-spf-record-hardfail/)[ Intermediate 3m 5 key contributors to the development of the Sender Policy Framework Nov 12, 2024 ](/blog/5-key-contributors-to-sender-policy-framework-development/) ```json {"@context":"https://schema.org","@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com","logo":{"@type":"ImageObject","url":"https://autospf.com/images/autospf-logo.png"},"description":"Automatic SPF flattening and email authentication management. Resolve SPF lookup limits, flatten SPF records, and maintain email deliverability across all your domains.","parentOrganization":{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138883901","name":"DuoCircle LLC","url":"https://www.duocircle.com","sameAs":["https://www.wikidata.org/wiki/Q138883901","https://www.crunchbase.com/organization/duocircle-llc","https://www.linkedin.com/company/duocircle","https://github.com/duocircle"],"subOrganization":[{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897912","name":"Phish Protection","url":"https://www.phishprotection.com"}]},"sameAs":["https://www.wikidata.org/wiki/Q138897474","https://www.linkedin.com/company/autospf","https://x.com/autospf01","https://www.g2.com/products/autospf/reviews"],"contactPoint":{"@type":"ContactPoint","contactType":"customer support","url":"https://autospf.com/contact-us/"},"knowsAbout":["SPF Record Flattening","Sender Policy Framework","Email Authentication","DNS Management","DMARC","DKIM"]} ``` ```json {"@context":"https://schema.org","@type":"WebSite","name":"AutoSPF","url":"https://autospf.com","description":"Automatic SPF flattening and email authentication management. Resolve SPF lookup limits, flatten SPF records, and maintain email deliverability across all your domains.","publisher":{"@type":"Organization","name":"AutoSPF","url":"https://autospf.com","logo":{"@type":"ImageObject","url":"https://autospf.com/images/autospf-logo.png"},"description":"Automatic SPF flattening and email authentication management. Resolve SPF lookup limits, flatten SPF records, and maintain email deliverability across all your domains.","parentOrganization":{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138883901","name":"DuoCircle LLC","url":"https://www.duocircle.com","sameAs":["https://www.wikidata.org/wiki/Q138883901","https://www.crunchbase.com/organization/duocircle-llc","https://www.linkedin.com/company/duocircle","https://github.com/duocircle"],"subOrganization":[{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897912","name":"Phish Protection","url":"https://www.phishprotection.com"}]}}} ``` ```json {"@context":"https://schema.org","@type":"BlogPosting","headline":"What Is SPF Redirect? A Complete Explanation","description":"Learn what SPF Redirect is, how it works, when to use it, and how it simplifies SPF record management while improving email authentication.","url":"https://autospf.com/blog/what-is-spf-redirect-a-complete-explanation/","datePublished":"2026-06-29T00:00:00.000Z","dateModified":"2026-06-29T00:00:00.000Z","dateCreated":"2026-06-29T00:00:00.000Z","author":{"@type":"Person","@id":"https://autospf.com/authors/brad-slavin/#person","name":"Brad Slavin","url":"https://autospf.com/authors/brad-slavin/","jobTitle":"General Manager","description":"Brad Slavin is the founder and General Manager of DuoCircle, the company behind AutoSPF, DMARC Report, Phish Protection, and Mailhop. He founded DuoCircle in 2014 to solve the SPF 10-DNS-lookup problem at scale and has led the company's growth to 2,000+ customers. Brad's focus is product strategy, customer relationships, and the commercial and compliance side of email authentication (DPAs, SLAs, enterprise procurement) rather than hands-on DNS engineering.","image":"https://media.mailhop.org/autospf/images/authors/brad-slavin.jpg","knowsAbout":["Email Security Strategy","SaaS Product Management","Enterprise Compliance","Customer Success","Email Deliverability Business"],"worksFor":{"@type":"Organization","name":"AutoSPF","url":"https://autospf.com"},"sameAs":["https://www.linkedin.com/in/bradslavin"]},"publisher":{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com","logo":{"@type":"ImageObject","url":"https://autospf.com/images/autospf-logo.png"},"description":"Automatic SPF flattening and email authentication management. Resolve SPF lookup limits, flatten SPF records, and maintain email deliverability across all your domains.","parentOrganization":{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138883901","name":"DuoCircle LLC","url":"https://www.duocircle.com","sameAs":["https://www.wikidata.org/wiki/Q138883901","https://www.crunchbase.com/organization/duocircle-llc","https://www.linkedin.com/company/duocircle","https://github.com/duocircle"],"subOrganization":[{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897912","name":"Phish Protection","url":"https://www.phishprotection.com"}]},"sameAs":["https://www.wikidata.org/wiki/Q138897474","https://www.linkedin.com/company/autospf","https://x.com/autospf01","https://www.g2.com/products/autospf/reviews"],"contactPoint":{"@type":"ContactPoint","contactType":"customer support","url":"https://autospf.com/contact-us/"},"knowsAbout":["SPF Record Flattening","Sender Policy Framework","Email Authentication","DNS Management","DMARC","DKIM"]},"mainEntityOfPage":{"@type":"WebPage","@id":"https://autospf.com/blog/what-is-spf-redirect-a-complete-explanation/"},"articleSection":"intermediate","keywords":"","image":{"@type":"ImageObject","url":"https://media.mailhop.org/autospf/dkim-authentication-7502-1782720934151.jpg","caption":"SPF Redirect"},"speakable":{"@type":"SpeakableSpecification","cssSelector":[".answer-block","h1"]}} ``` ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https://autospf.com/"},{"@type":"ListItem","position":2,"name":"Blog","item":"https://autospf.com/blog/"},{"@type":"ListItem","position":3,"name":"Intermediate","item":"https://autospf.com/intermediate/"},{"@type":"ListItem","position":4,"name":"What Is SPF Redirect? A Complete Explanation","item":"https://autospf.com/blog/what-is-spf-redirect-a-complete-explanation/"}]} ```