Is it okay to have multiple SPF records on your domain? The answer might surprise you! SPF records are crucial for email authentication, but having more than one can actually hurt your deliverability.
Having multiple SPF records is one of the most common SPF errors that domain owners come across. It can completely invalidate your SPF and lead to SPF PermError. To understand why this happens we need to know how SPF functions and why having more than one SPF record can cause issues in the authentication.
*Pro Tip: Conduct your domain record check today to find errors in your SPF record configuration.
How SPF Records Function
Sender Policy Framework or SPF is a popular email authentication protocol that works by listing all of the authorized sending sources that are allowed to send emails on behalf of your domain.
During an SPF check, receiving MTAs perform DNS query requests, or DNS lookups to validate your email’s Return-path address by matching it against the list of IP addresses mentioned in your SPF record. If there is a match found, the email passes SPF, else it fails SPF.
Hence, configuring SPF is simply publishing a DNS TXT record that starts with “v=spf1” syntax.
The Myth of Multiple SPF Records
While some services might suggest adding separate SPF records, the truth is a domain can only have one SPF record. This is because the SPF standard (RFC 4408) strictly prohibits having multiple.
During an SPF check, encountering multiple records leads to a “PermError,” essentially confusing the receiving server.
When a receiving MTA begins to perform SPF authentication on an email, it fetches all the DNS TXT records that begin with “v=spf1”. In case SPF is not configured for the sending domain, and no SPF record is found in the DNS, a None result is returned. On the contrary, if multiple SPF records beginning with “v=spf1” are found to exist for the same domain, an SPF PermError result is returned.
The Trouble with Multiple SPF Records
Using SPF record multiple include or simply having multiple SPF records for one domain can have serious consequences such as:
- Emails landing in spam folders
- Emails being rejected entirely
This is a very common issue. Several domain analysis reports by PowerDMARC revealed that one of the most common mistakes domain owners make is having more than 1 SPF record per domain. This mistake contributes to one of the primary reasons for having erroneous SPF configurations.
Multiple SPF Records Example
Given below is an example of multiple separate SPF records published for the same domain.
The wrong way:
RECORD TYPE | DOMAIN NAME | RECORD VALUE | TTL |
---|---|---|---|
TXT | exampledomain.com | v=spf1 include:_spf.zoho.com -all | default |
TXT | exampledomain.com | v=spf1 include:_spf.google.com -all | default |
In this example, for the domain exampledomain.com, 2 separate SPF DNS TXT records have been published in the domain’s DNS. In this case, SPF authentication fails with a permanent error result returned for your domain. Each of these includes is treated as separate records resulting in multiple SPF records on the same domain.
The right way:
RECORD TYPE | DOMAIN NAME | RECORD VALUE | TTL |
---|---|---|---|
TXT | exampledomain.com | v=spf1 include:_spf.zoho.com include:_spf.google.com -all | default |
In this example, the domain exampledomain.com has only a single SPF DNS TXT record instead of multiple SPF records. This is achieved by adding the SPF multiple include mechanisms in a single record. The record is valid and SPF would not return a PermError result in this case.
*Pro Tip: Learn how to optimize SPF records in the correct way to avoid SPF record errors in the future.
How to Fix the Multiple SPF Records Problem?
Fixing the multiple SPF records error is easy with PowerDMARC! Follow the steps given below to correctly configure SPF multiple includes for your domain:
Step 1: Confirm SPF Multiple Records Error
The first step is to check for SPF multiple records. Sign up on PowerDMARC for free and use our SPF record generator tool to confirm the presence of this error.
Alternatively, you can manually look up your record in your DNS. If you are using a DNS hosting provider like Cloudflare, CloudDNS, DNS Made Easy, Namecheap, or others the process won’t be the same for each provider. However, the usual general steps are to enter your DNS management console, access your DNS zone editor, and click on Manage Domains. You will be able to find your DNS records for SPF in the DNS zone of your domain.
Step 2: Delete the Multiple SPF records for a Single Domain
If your domain contains multiple records for SPF, it’s time to edit the DNS records and delete all records except one. Make sure you are left with a single SPF record per domain.
Step 3: Combine SPF Records
Finally, edit the remaining single SPF record to combine multiple includes. This is an easy way to fix the error while also allowing you to include multiple SPF records in a single record.
- Enter your DNS Management Console
- Click to Edit your SPF record
- In the syntax, use the SPF “include” mechanism to include multiple domains you wish to authorize. Given below is an example of combining SPF records into 1:
You can keep adding more “includes” to the same SPF record to authorize all your third-party services. Once done make sure you save your record in the DNS.
Note: Instead of the enforcement policy (-all) you can configure (~all) for a more lenient and flexible approach during SPF failure.
Steps to Add Multiple SPF Records
If you use multiple email vendors for a single domain, configuring multiple separate SPF records is the wrong way to set up SPF for them. Instead here’s what you need to do:
1. PowerDMARC can help you easily add multiple SPF records for your domain. Use our SPF record generator tool to create a free record.
2. In the field labeled “Authorize domains or 3rd party services that send emails on behalf of this domain.” enter all third party vendors you wish to authorize. This is an important step to merge SPF records.
3. Copy and paste the single generated SPF record which contains multiple SPF records for your authorized senders in your DNS. Save the record.
The Problem with an SPF Record with Multiple Includes
Having SPF include multiple times is not always the right approach. While combining SPF records in this way helps you get rid of the SPF multiple records error, it may lead to other errors. Every email service provider adds a DNS lookup during SPF authentication. Having multiple includes in your SPF record equals as many lookups. However, RFC specifies the maximum lookup limit for SPF to be 10.
Exceeding the SPF 10 lookup limit can also return SPF PermError and break SPF.
To stay under the 10 DNS lookup limit for SPF:
- You can manually flattening your SPF record. However, manual flattening to pull through all the IP addresses behind your include mechanism can lead to a lengthy record that may exceed the character string limit for SPF.
- Or, you can choose SPF Macros. Macros helps you stay within the lookup and character length limits.
In order to avoid multiple SPF records and other common errors, use PowerDMARC’s hosted SPF solution. We integrate macros in your SPF record to ensure you enjoy error-free SPF that is optimized and updated.
Additionally, you can configure our DMARC Analyzer to configure DMARC for your domains. DMARC helps you protect against phishing attacks, spoofing and domain abuse.
Final Words
Having a single, well-configured SPF record is essential for optimal email deliverability. In this blog we explained how you can combine SPF records into one for an error-free SPF setup. While SPF is a great first step, consider exploring other email authentication methods like DKIM and DMARC for even better protection.
To explore more such domain security solutions to simplify security for your emails – contact us today!
- Travel Cybersecurity Threats and How to Stay Protected - December 18, 2024
- Cybersecurity Best Practices for Digital Nomads in Japan - December 17, 2024
- NCSC Mail Check Changes & Their Impact on UK Public Sector Email Security - December 13, 2024