How to include multiple domains in an spf TXT Record ~all and ?all

Background information

How include works

The RFC says this about include:

The "include" mechanism triggers a recursive evaluation of check_host().

1. The <domain-spec> is expanded as per Section 7.

2. check_host() is evaluated with the resulting string as the <domain>. The <ip> and <sender> arguments remain the same as in the current evaluation of check_host().

3. The recursive evaluation returns match, not-match, or an error.

4. If it returns match, then the appropriate result for the "include" mechanism is used (e.g., include or +include produces a "pass" result and -include produces "fail").

5. If it returns not-match or an error, the parent check_host() resumes processing as per the table below, with the previous value of <domain> restored.

Mechanisms (the default mechanism is pass)

"+" pass

A "pass" result means the client is authorized to inject mail with the given identity. The domain can now, in the sense of reputation, be considered responsible for sending the message. Further policy checks can now proceed with confidence in the legitimate use of the identity. This is further discussed in Appendix G.1.

"-" fail

A "fail" result is an explicit statement that the client is not authorized to use the domain in the given identity. Disposition of SPF fail messages is a matter of local policy. See Appendix G.2 for considerations on developing local policy.

"~" softfail

A "softfail" result ought to be treated as somewhere between "fail" and "neutral"/"none". The ADMD believes the host is not authorized but is not willing to make a strong policy statement. Receiving software SHOULD NOT reject the message based solely on this result, but MAY subject the message to closer scrutiny than normal.

"?" neutral

A "neutral" result indicates that although a policy for the identity was discovered, there is no definite assertion (positive or negative) about the client.

A "neutral" result MUST be treated exactly like the "none" result; the distinction exists only for informational purposes. Treating "neutral" more harshly than "none" would discourage ADMDs from testing the use of SPF records (see Section 10.1).

Provided SPF records explained

v=spf1 include:hotmail.com ~all

• If the email passes hotmail.com then pass it, otherwise treat it as suspicious.

v=spf1 include:servers.mcsv.net ?all

• If the email passes servers.mcsv.net then pass it, otherwise treat is as if there was no SPF record.

How to merge them

If you want unmatched emails to be treated as neutral, use:

v=spf1 include:hotmail.com include:servers.mcsv.net ?all

If you want it to be treated as being suspicious, then use:

v=spf1 include:hotmail.com include:servers.mcsv.net ~all

Explaining SPF records

I have made a site (https://www.checkspf.net/), which allows you to see an SPF record explained, with each individual part of the record explained. It is a work in progress site though, so there may be some issues, I am open to Pull Requests with fixes or issue reports.

Related videos on Youtube