How To Safely Manage Multiple SPF Records
To Avoid Authentication Issues

The Sender Policy Framework (SPF) plays an essential role in email authentication, serving as a defense against email spoofing and phishing attempts. A frequent error committed by domain administrators is the establishment of multiple SPF records for the same domain, which can result in problems with email deliverability and failures in authentication.

This guide will provide you with instructions on how to effectively manage SPF records, prevent the occurrence of “multiple SPF record” errors, and adopt best practices to guarantee that your emails successfully meet authentication standards.


Understanding SPF and Its Role in Email Authentication


SPF, or Sender Policy Framework, is a TXT record in the Domain Name System (DNS) that designates authorized mail servers for a domain. Upon receiving an email, the recipient's mail server consults the sender's SPF record to confirm the legitimacy of the sending server.

A well-configured SPF record enhances email deliverability and mitigates risks of spoofing and phishing. Conversely, issues like having multiple SPF records can lead to authentication errors.



Multiple-spf-records



Why Having Multiple SPF Records is a Problem

A domain must contain a single SPF record. The presence of multiple SPF records can cause mail servers to struggle with email authentication, resulting in:

  • SPF PermError (Permanent Error): Most email servers will reject an email if they detect multiple SPF records.

  • Deliverability Issues: Emails may end up in spam folders or get rejected.

  • DMARC Failures: If SPF fails, your DMARC policy might also fail, reducing email security.

Example of Incorrect SPF Configuration

A common mistake is adding multiple SPF records like this:

v=spf1 include:_spf.google.com -all

v=spf1 include:_spf.mailchimp.com -all

The problem? A domain can only have one SPF record.


How to Fix Multiple SPF Records


To address this issue, consolidate all approved sending sources into one SPF record, ensuring compliance with the 10 DNS lookup limit of SPF.

  • Combine SPF Records into One: Instead of having separate SPF records, combine them into one, like this:

v=spf1 include:_spf.google.com include:_spf.mailchimp.com -all

This ensures all authorized email senders are covered under one SPF record.

  • Remove Redundant SPF Entries:Review your domain's DNS records for duplicate or conflicting SPF entries. Retain only one valid SPF TXT record by eliminating any extras.

  • Use "include" Correctly: When integrating third-party email services such as Google Workspace, Mailchimp, or Microsoft 365, it is advisable to utilize their suggested "include" methods rather than specifying individual IP addresses.

Example:

v=spf1 include:_spf.google.com include:spf.protection.outlook.com -all

This allows the SPF record to dynamically update when the provider changes their authorized IPs.

  • Stay Within the SPF Lookup Limit: The SPF protocol imposes a restriction of 10 DNS lookups. Should your SPF record surpass this threshold, it could lead to an SPF PermError.

    • To reduce lookups:

    • Remove unnecessary "include" statements

    • Use IP ranges instead of include if possible

    • Utilize SPF flattening tools (like dmarcian or SPF-Record Flattening services)

Example of an optimized SPF record:

v=spf1 ip4:192.168.1.1/24 include:_spf.google.com include:_spf.sendgrid.net -all



Multiple-spf-records-1-



Testing and Validating Your SPF Record


After updating your SPF record, use these tools to check for errors:

  • Google Admin Toolbox SPF Check → https://toolbox.googleapps.com/apps/checkmx/

  • MXToolbox SPF Lookup → https://mxtoolbox.com/SPFRecord.aspx

  • Kitterman SPF Test → https://www.kitterman.com/spf/validate.html

These tools will help you confirm that your SPF record is correctly formatted and does not exceed lookup limits.


Best Practices for SPF Management


  • Keep SPF records concise: Avoid unnecessary includes and use IP ranges when possible.

  • Regularly review your SPF record: Remove obsolete or inactive email providers.

  • Monitor SPF authentication results: Use DMARC reports to analyze email authentication failures.

  • Combine all authorized senders into a single SPF record: Prevent multiple SPF records from causing issues.

  • Ensure compatibility with DKIM and DMARC: SPF alone is not enough; use DKIM and DMARC for full email authentication. Explore details with one click.