Can you Have Multiple SPF Records?
by
Last Updated: 9 min read
Key Takeaways
- Having multiple SPF records can lead to email deliverability issues and result in SPF PermError.
- A domain should only have one SPF record to avoid confusion during SPF authentication.
- Combining multiple SPF includes into a single record is essential for proper SPF configuration.
- SPF records must be regularly checked and optimized to maintain effective email authentication.
- Consider implementing additional email authentication methods, such as DKIM and DMARC, for better security.
Quick Answer: No, you cannot have multiple SPF records on one domain. Having more than one SPF record will cause SPF PermError and break email authentication, leading to delivery failures.
Is it okay to have multiple SPF records on your domain? Here’s what you need to know to keep your email deliverability on track. SPF records are crucial for email authentication, but having more than one can actually hurt your deliverability.
Having multiple SPF records is one of the most common SPF errors that domain owners come across. It can completely invalidate your SPF and lead to SPF PermError. To understand why this happens we need to know how SPF functions and why having more than one SPF record can cause issues in the authentication.
*Pro Tip: Conduct your domain record check today to find errors in your SPF record configuration.
Why PowerDMARC?
- Automated SPF flattening to avoid PermErrors
- SOC2 & ISO 27001 certified for enterprise security
- Trusted by leading global brands
- 24/7 expert support
How SPF Records Function
Sender Policy Framework or SPF is a popular email authentication protocol that works by listing all of the authorized sending sources that are allowed to send emails on behalf of your domain.
During an SPF check, receiving MTAs perform DNS query requests, or DNS lookups to validate your email’s Return-path address by matching it against the list of IP addresses mentioned in your SPF record. If there is a match found, the email passes SPF, else it fails SPF.
Hence, configuring SPF is simply publishing a DNS TXT record that starts with “v=spf1” syntax.
Simplify SPF Records with PowerDMARC!
The Myth of Multiple SPF Records
While some services might suggest adding separate SPF records, the truth is a domain can only have one SPF record. This is because the SPF standard (RFC 4408) strictly prohibits having multiple.
During an SPF check, encountering multiple records leads to a “PermError,” essentially confusing the receiving server.
When a receiving MTA begins to perform SPF authentication on an email, it fetches all the DNS TXT records that begin with “v=spf1”. In case SPF is not configured for the sending domain, and no SPF record is found in the DNS, a None result is returned. On the contrary, if multiple SPF records beginning with “v=spf1” are found to exist for the same domain, an SPF PermError result is returned.
The Trouble with Multiple SPF Records
Using SPF record multiple include or simply having multiple SPF records for one domain can have serious consequences such as:
- Emails landing in spam folders
- Emails being rejected entirely
This is a very common issue. Several domain analysis reports by PowerDMARC revealed that one of the most common mistakes domain owners make is having more than 1 SPF record per domain. This mistake contributes to one of the primary reasons for having erroneous SPF configurations.
Multiple SPF Records Example
Given below is an example of multiple separate SPF records published for the same domain.
Common SPF Record Mistakes to Avoid:
| RECORD TYPE | DOMAIN NAME | RECORD VALUE | TTL |
|---|---|---|---|
| TXT | exampledomain.com | v=spf1 include:_spf.zoho.com -all | default |
| TXT | exampledomain.com | v=spf1 include:_spf.google.com -all | default |
In this example, for the domain exampledomain.com, 2 separate SPF DNS TXT records have been published in the domain’s DNS. In this case, SPF authentication fails with a permanent error result returned for your domain. Each of these includes is treated as separate records resulting in multiple SPF records on the same domain.
How to Combine SPF Records Correctly:
| RECORD TYPE | DOMAIN NAME | RECORD VALUE | TTL |
|---|---|---|---|
| TXT | exampledomain.com | v=spf1 include:_spf.zoho.com include:_spf.google.com -all | default |
In this example, the domain exampledomain.com has only a single SPF DNS TXT record instead of multiple SPF records. This is achieved by adding the SPF multiple include mechanisms in a single record. The record is valid and SPF would not return a PermError result in this case.
| Scenario | DNS Record | Expected Outcome |
|---|---|---|
| Incorrect: Multiple SPF Records | Two separate TXT records with v=spf1 | SPF PermError - Authentication fails |
| Correct: Single SPF Record | One TXT record with multiple includes | SPF Pass - Authentication succeeds |
*Pro Tip: Learn how to SPF record optimization best practices in the correct way to avoid SPF record errors in the future.
How to Identify Multiple SPF Records in DNS
Before fixing multiple SPF records, you need to identify if your domain has this issue. Here are several methods to check for multiple SPF records:
Using Online SPF Checkers
The easiest way is to use PowerDMARC’s free SPF checker tool. Simply enter your domain name and it will instantly identify if you have multiple SPF records.
Command-Line DNS Queries
For technical users, you can use command-line tools:
- Windows: nslookup -type=TXT yourdomain.com
- Linux/Mac: dig TXT yourdomain.com
DNS Management Console
Log into your DNS provider (Cloudflare, GoDaddy, Namecheap, etc.) and check the TXT records section. Look for multiple entries starting with “v=spf1”.
How to Fix the Multiple SPF Records Problem?
Fixing the multiple SPF records error is easy with PowerDMARC! Follow the steps given below to correctly configure SPF multiple includes for your domain:
Troubleshooting Checklist:
- Verify DNS propagation (can take 24-48 hours)
- Test changes with multiple DNS checkers
- Monitor email delivery for 48 hours after changes
- Document all changes for future reference
Step 1: Confirm SPF Multiple Records Error
The first step is to check for SPF multiple records. Sign up on PowerDMARC for free and use our SPF record generator tool to confirm the presence of this error.
Alternatively, you can manually look up your record in your DNS. If you are using a DNS hosting provider like Cloudflare, CloudDNS, DNS Made Easy, Namecheap, or others the process won’t be the same for each provider. However, the usual general steps are to enter your DNS management console, access your DNS zone editor, and click on Manage Domains. You will be able to find your DNS records for SPF in the DNS zone of your domain.
Step 2: Delete the Multiple SPF records for a Single Domain
If your domain contains multiple records for SPF, it’s time to edit the DNS records and delete all records except one. Make sure you are left with a single SPF record per domain.
Step 3: Combine SPF Records
Finally, edit the remaining single SPF record to combine multiple includes. This is an easy way to fix the error while also allowing you to include multiple SPF records in a single record.
- Enter your DNS Management Console
- Click to Edit your SPF record
- In the syntax, use the SPF “include” mechanism to include multiple domains you wish to authorize. Given below is an example of combining SPF records into 1:
You can keep adding more “includes” to the same SPF record to authorize all your third-party services. Once done make sure you save your record in the DNS.
Note: Instead of the enforcement policy (-all) you can configure (~all) for a more lenient and flexible approach during SPF failure.
How to Properly Authorize Multiple Email Senders in One SPF Record
If you use multiple email vendors for a single domain, configuring multiple separate SPF records is the wrong way to set up SPF for them. Instead here’s what you need to do:
1. PowerDMARC can help you easily add multiple SPF records for your domain. Use our SPF record generator tool to create a free record.
2. In the field labeled “Authorize domains or 3rd party services that send emails on behalf of this domain.” enter all third party vendors you wish to authorize. This is an important step to merge SPF records.
3. Copy and paste the single generated SPF record which contains multiple SPF records for your authorized senders in your DNS. Save the record.
Limitations and Risks of Multiple SPF Includes
Having SPF include multiple times is not always the right approach. While combining SPF records in this way helps you get rid of the SPF multiple records error, it may lead to other errors. Every email service provider adds a DNS lookup during SPF authentication. Having multiple includes in your SPF record equals as many lookups. However, RFC specifies the maximum lookup limit for SPF to be 10.
Exceeding the SPF 10 lookup limit can also return SPF PermError and break SPF.
To stay under the 10 DNS lookup limit for SPF:
- You can manually flattening your SPF record. However, manual flattening to pull through all the IP addresses behind your include mechanism can lead to a lengthy record that may exceed the character string limit for SPF.
- Or, you can choose SPF Macros. Macros helps you stay within the lookup and character length limits.
In order to avoid multiple SPF records and other common errors, use PowerDMARC’s hosted SPF solution. We integrate macros in your SPF record to ensure you enjoy error-free SPF that is optimized and updated.
Additionally, you can configure our DMARC Analyzer to configure DMARC for your domains. DMARC helps you protect against phishing attacks, spoofing and domain abuse.
Best Practices for Managing SPF Records
Follow these actionable best practices to maintain effective SPF record management:
- Regular Audits: Review your SPF records quarterly to ensure they’re up-to-date
- Monitor DNS Lookups: Keep track of your DNS lookup count to stay under the 10-lookup limit
- Document Changes: Maintain a log of all SPF record modifications with dates and reasons
- Test Before Implementation: Always validate SPF records using online checkers before going live
- Avoid Nested Includes: Minimize complex include chains that can exceed lookup limits
- Use Automation: Consider automated SPF management tools for complex environments
Common Pitfalls and How to Avoid Them
Avoid these frequent SPF mistakes that can break email authentication:
Common SPF Errors and Solutions
- Exceeding 10 DNS Lookups: Use SPF flattening or macros to reduce lookup count
- Using Multiple TXT Records: Consolidate all SPF includes into a single record
- Improper Syntax: Always start with “v=spf1” and end with an “all” mechanism
- Character Limit Exceeded: Keep SPF records under 255 characters per string
- Forgetting Email Vendors: Include all legitimate email sending services
- Using Deprecated Record Types: Always use TXT records, not SPF record type
Summary & Next Steps
Having a single, well-configured SPF record is essential for optimal email deliverability. In this guide we explained how you can combine SPF records into one for an error-free SPF setup. While SPF is a great first step, consider exploring other email authentication methods like DKIM and DMARC for even better protection.
Ready to secure your email infrastructure? Here’s what to do next:
- Test your current SPF record with our free SPF checker
- Generate an optimized SPF record using our SPF record generator
- Implement comprehensive email security with DMARC protection
“We solved our SPF issues in one day with PowerDMARC’s automated tools.” – IT Director, FinTech Corp.
To explore more such domain security solutions to simplify security for your emails – contact us today!
Frequently Asked Questions
Can I have multiple SPF records on one domain?
No, you cannot have multiple SPF records on one domain. Having more than one SPF record will cause SPF PermError and break email authentication. Instead, combine all authorized senders into a single SPF record using multiple include mechanisms.
How many SPF records can be placed in the DNS of a domain?
Only one SPF record should be placed in the DNS of a domain. The SPF standard (RFC 4408) explicitly prohibits multiple SPF records. If multiple records are found, receiving servers will return a PermError and reject the email.
What happens if you have multiple SPF records?
If you have multiple SPF records, receiving email servers will encounter a PermError during SPF validation. This causes emails to fail authentication, potentially leading to emails being marked as spam or rejected entirely by receiving servers.
How do I combine multiple email services in one SPF record?
Use the “include:” mechanism to combine multiple email services in one SPF record. For example: “v=spf1 include:_spf.google.com include:mailgun.org include:_spf.salesforce.com ~all”. This authorizes all three services in a single record.
What is the maximum number of DNS lookups allowed in SPF?
The maximum number of DNS lookups allowed in SPF is 10. Each “include:” mechanism counts as one lookup. Exceeding this limit will result in SPF PermError. Use SPF flattening or macros to stay within this limit.
Domain & Email Security Expert at PowerDMARC
Ahona is the Marketing Manager at PowerDMARC, with 5+ years of experience in writing about cybersecurity topics, specializing in domain and email security. Ahona holds a post-graduation degree in Journalism and Communications, solidifying her career in the security sector since 2019.
Latest posts by Ahona Rudra (see all)
