SPF record, can additional lookups send email on my behalf

Question

Looking at the hypothetical scenario with 4 domains and their following SPF records:

Domain: example.com SPF record: v=spf1 include:otherdomain.com ~all

Domain: otherdomain.com SPF record: v=spf1 a include:thirddomain.com ~all

Domain: thirddomain.com SPF record: v=spf1 ip4:1.2.3.4 include:unsecuredomain.com ~all

Domain: unsecuredomain.com SPF record: v=spf1 +all

• example.com uses otherdomain.com to send emails on its behalf and "soft fail" any other domains.
• otherdomain.com uses their own IPs to send emails and also allows thirddomain.com to send emails on its behalf and "soft fail" other domains.
• thirddomain.com uses the IP 1.2.3.4 to send emails and allows unsecuredomain.com to send emails on its behalf and "soft fail" other domains
• unsecuredomain.com allows anyone to send emails on its behalf.

Questions: Can anyone, unsecuredomain.com, or thirddomain.com send email on behalf of example.com? Can anyone send emails on behalf of thirddomain.com?

Thank you all

Answer 1

I know what you're worrying about, but it's OK: included domains' all policies do not create a back-door into your own SPF policy.

• otherdomain.com can send for example.com from wherever its A records point, and also from thirddomain.com's literal IP.
• thirddomain.com can send for example.com from its literal IP only.
• unsecuredomain.com can't send for example.com at all.
• Any other source will get a softfail from example.com's ~all default mechanism.

It's clarified in RFC7208 section 5.2:

For example, evaluating a "-all" directive in the referenced record does not terminate the overall processing and does not necessarily result in an overall "fail".

and

With the "include" mechanism, an administratively external set of hosts can be authorized, but determination of sender policy is still a function of the original domain's SPF record (as determined by the "all" mechanism in that record).

In short, only the all mechanism for your own record is used.