SPF glossary

What does redirect= do in an SPF record?

Samuel Chenard

By Samuel Chenard · CEO & Co-Founder, Palisade · Reviewed July 15, 2026

redirect= is an SPF modifier that replaces your entire evaluation with another domain's record — v=spf1 redirect=_spf.example.com means that record's result, including its -all, becomes *your* result. Unlike include:, nothing of your own record remains in play. It's how one central SPF policy serves many domains.

redirect= at a glance
Tagredirect (modifier)
Valid valuesredirect=<domain> — note the equals sign, not a colon
DefaultIgnored if the record also contains an all mechanism; permerror if the target has no SPF record.
Where it goesConventionally the last term, in place of all, e.g. v=spf1 redirect=_spf.example.com

How redirect= works

redirect= hands the whole evaluation to another domain: the receiver fetches the target's SPF record and evaluates the sender against it as if it were yours. Whatever that record returns — pass, fail from its -all, anything — becomes your domain's result. That's the key contrast with include:, which only ever *matches on pass* and leaves your own record in charge of everything else.

Two rules to know: if your record also contains an all mechanism, the redirect is ignoredall matches everything first, so the redirect never runs. And if the target domain publishes no SPF record, the result is a permerror. Like include, a redirect costs one of the 10 DNS lookups.

Its natural use is centralization: publish one policy at _spf.example.com, and give every other domain a one-line record that redirects to it. Change the central record once and it applies everywhere — exactly the multi-domain, multi-tenant pattern an MSP managing dozens of client domains needs.

Correct record vs common mistake

Correct

v=spf1 redirect=_spf.example.com

The whole policy is delegated — no all needed; the target record's -all applies as this domain's result.

Common mistake

v=spf1 redirect=_spf.example.com -all

With an all mechanism present, the redirect is ignored entirely. The -all takes over and the redirect never runs — probably not what was intended.

Generate your SPF record

Build a correct SPF record for your domain — add your senders, copy the TXT record. Free, no signup.

Who sends email for this domain?

Each service adds its documented include mechanism.

From your provider's docs, e.g. spf.example-esp.com — commas or spaces between multiple. Some services (Klaviyo, HubSpot, Mailchimp Transactional) authenticate through their own CNAME records instead of a shared include — check their DNS settings page.

How should receivers treat everyone else?

Your SPF record

0/10 DNS lookups

Publish as a TXT record at the domain root. One SPF record per domain — if one exists, merge into it instead of adding another.

Host / Name

yourdomain.com (or @)

Value (TXT)

v=spf1 ~all

Record type: TXT · ip4/ip6 mechanisms don't count against the 10-lookup limit.

Nothing is authorized yet — this record would tell receivers that no server may send for your domain. Select your email providers above (or tick the parked-domain option if that's intended).

After you publish

  1. Add the TXT record at your DNS host.
  2. Verify it with the free SPF checker.
  3. SPF alone doesn't stop spoofing — pair it with DKIM and a DMARC policy. Generate one with the DMARC record generator.

Troubleshooting redirect=

IssueLikely causeFix
SPF broke on many domains at onceAll of them redirect to one central record, and that record has an errorFix the central target — and treat it as shared production: test changes before publishing
redirect appears to do nothingThe record also contains an all mechanism, which makes receivers ignore the redirectRemove the all (the target's all applies) — or remove the redirect if all was the intent
permerror on a redirect-based recordThe target domain publishes no SPF record, or the name is misspelledConfirm the target resolves to a valid v=spf1 TXT record before pointing domains at it

See this on your own domain

Enter your domain — the check runs instantly on the next page. Free, no signup.

Why it matters for MSPs

Redirect is the multi-tenant pattern done right — one central record, every managed domain pointing at it — but it concentrates risk the same way it concentrates control: an error in the central record breaks SPF for every domain redirecting to it, simultaneously. Across 200 tenants that's one DNS edit away from a fleet-wide incident, so the central record deserves change control.

Trusted by MSPs

We increased our meetings booked by 21% and slept better at night knowing our emails are now secured
Marc-André CampagnaMarc-André Campagna CEO, gaiia (YC 2021)Read the case study →
Partner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner Logo

Enforce it — don't just monitor it

Centralizing policy across many domains is the same instinct Palisade productizes: every client domain managed from one place, with DMARC report evidence per tenant and PSA integrations for the workflow — and each domain advanced safely to `p=reject` instead of just sharing a TXT string.

Free 15-day trial · No credit card · Your own domain free forever (NFR)

Frequently asked questions

include is a conditional match inside your record — it only matches if the other record passes, and your own record still decides the rest. redirect replaces your record entirely: the target's result, including its fail, becomes yours.

No — and you must not add it. The target record's all applies as your result, and an all in your own record causes the redirect to be ignored altogether.

Yes — the redirect itself costs one lookup, plus whatever the target record's own mechanisms cost.

Yes — that's its main modern use. Each domain publishes v=spf1 redirect=<central domain>, and you maintain the sender list in exactly one place.

Related terms

What is SPF? Sender Policy Framework explained