Is it okay to have multiple SPF records on your domain? The answer is no, since having multiple SPF records is one of the most common SPF errors that domain owners come across, it can completely invalidate your SPF and lead to SPF PermError. To understand why this happens we need to know how SPF functions and why having more than one SPF record can cause issues in authentication. Conduct your SPF record check today to find errors in your SPF record configuration.
How Does SPF Work?
Sender Policy Framework or SPF is a popular email authentication protocol that works by listing all of the authorized sending sources that are allowed to send emails on behalf of your domain. SPF works by performing DNS query requests, or DNS lookups wherein the receiving MTA looks up and validates your email’s Return-path address by matching it against the list of IP addresses mentioned in the SPF record that resides in your domain’s DNS.
If there is a match found, the email passes SPF, else it fails SPF.
Hence, configuring SPF is simply publishing a DNS TXT record that starts with “v=spf1” syntax.
What is SPF PermError?
When a receiving MTA begins to perform SPF authentication on an email, it fetches all the DNS TXT records that begin with “v=spf1”. In case SPF is not configured for the sending domain, and no SPF record is found in the DNS, a None result is returned. On the contrary, if multiple SPF records beginning with “v=spf1” are found to exist for the same domain, a PermError result is returned.
The wrong way:
| Record Type | Domain Name | Record Value | TTL |
|---|---|---|---|
| TXT | exampledomain.com | v=spf1 include:_spf.zoho.com -all | default |
| TXT | exampledomain.com | v=spf1 include:_spf.google.com -all | default |
In this example, for domain exampledomain.com, there are 2 separate DNS TXT records that have been published in the domain’s DNS. In this case, SPF authentication fails due to SPF PermError.
The right way:
| Record Type | Domain Name | Record Value | TTL |
|---|---|---|---|
| TXT | exampledomain.com | v=spf1 include:_spf.zoho.com include:_spf.google.com -all | default |
In this example the domain exampledomain.com has only a single SPF DNS TXT record published in the DNS by adding all the include mechanisms in a single record. The record is valid and SPF would not return a PermError result in this case. Learn how to optimize your SPF record the correct way to avoid SPF record errors in the future.
Other Factors Affecting SPF: Types of SPF Errors
As discussed above, having more than one SPF record is a common SPF error that can render your SPF record invalid and fail SPF authentication. So the answer to “Can I have multiple SPF records on my domain?” is plain and simple: no you cannot. After ensuring that you have only one SPF record published in your DNS, there can still be other factors causing SPF errors.
- Exceeding the SPF 10 lookup limit can also return SPF PermError and break SPF.
- Manually flattening your SPF record to pull through all the IP addresses behind your include mechanism can lead to a lengthy record that may exceed the character string limit of 255 characters
- Your email service providers like Zoho, Gmail, or Outlook can change or add to their IP addresses that invalidates your SPF record
- Your SPF record might contain syntax errors
In order to avoid the above-mentioned errors use PowerSPF to automatically flatten your SPF record and stay under the 10 DNS lookup limit.
You can generate your error-free SPF record using our free SPF record generator. Sign up today for DMARC Analyzer to configure SPF correctly for your domain and avoid all SPF errors.
