Can I Have Multiple SPF Records on My Domain

Is it okay to have multiple SPF records on your domain? The answer is no, since having multiple SPF records is one of the most common SPF errors that domain owners come across, it can completely invalidate your SPF and lead to SPF PermError. To understand why this happens we need to know how SPF functions and why having more than one SPF record can cause issues in the authentication. Conduct your domain record check today to find errors in your SPF record configuration.

How Does SPF Work?

Sender Policy Framework or SPF is a popular email authentication protocol that works by listing all of the authorized sending sources that are allowed to send emails on behalf of your domain. SPF works by performing DNS query requests, or DNS lookups wherein the receiving MTA looks up and validates your email’s Return-path address by matching it against the list of IP addresses mentioned in the SPF record that resides in your domain’s DNS.

If there is a match found, the email passes SPF, else it fails SPF.

Hence, configuring SPF is simply publishing a DNS TXT record that starts with “v=spf1” syntax.

What is SPF PermError?

When a receiving MTA begins to perform SPF authentication on an email, it fetches all the DNS TXT records that begin with “v=spf1”. In case SPF is not configured for the sending domain, and no SPF record is found in the DNS, a None result is returned. On the contrary, if multiple SPF records beginning with “v=spf1” are found to exist for the same domain, an SPF PermError result is returned.

SPF record multiple include : Which is the right way to publish the record?

The wrong way: 

Record TypeDomain NameRecord ValueTTL
TXTexampledomain.comv=spf1 include:_spf.zoho.com -alldefault
TXTexampledomain.comv=spf1 include:_spf.google.com -alldefault

In this example, for domain exampledomain.com, there are 2 separate DNS TXT records that have been published in the domain’s DNS to incorporate the SPF multiple include, separately. In this case, SPF authentication fails with a permanent error result returned for your domain. Each of these includes is treated as separate records resulting in multiple SPF records on the same domain.

 

The right way: 

Record TypeDomain NameRecord ValueTTL
TXTexampledomain.comv=spf1 include:_spf.zoho.com include:_spf.google.com -alldefault

In this example, the domain exampledomain.com has only a single SPF DNS TXT record instead of multiple SPF records. This is achieved by adding the SPF multiple include mechanisms in a single record. The record is valid and SPF would not return a PermError result in this case. Learn how to optimize your SPF record the correct way to avoid SPF record errors in the future.

Other Factors Affecting SPF: Types of SPF Errors

As discussed above, having multiple SPF records is a common SPF error that can render your SPF record invalid and fail SPF authentication. So the answer to “Can I have multiple SPF records on my domain?” is plain and simple: no you cannot. After ensuring that you have only one SPF record published in your DNS, there can still be other factors causing SPF errors.

  • Exceeding the SPF 10 lookup limit can also return SPF PermError and break SPF.
  • Manually flattening your SPF record to pull through all the IP addresses behind your include mechanism can lead to a lengthy record that may exceed the character string limit of 255 characters
  • Your email service providers like Zoho, Gmail, or Outlook can change or add to their IP addresses that invalidates your SPF record
  • Your SPF record might contain syntax errors

In order to avoid multiple SPF records and other common errors, use PowerSPF to automatically flatten your SPF record and stay under the 10 DNS lookup limit. Want to know if you’re abiding by all the SPF rules? Check your SPF record using our SPF record checker for free.

You can generate your error-free SPF record using our free SPF record generator. Sign up today for DMARC Analyzer to configure SPF correctly for your domain and avoid all SPF errors.