Multiple SPF Records Explained:
What To Do Instead

The Sender Policy Framework (SPF) is an essential method for authenticating emails, designed to thwart spammers and phishers from impersonating your domain. However, a frequent and significant error made by many domain administrators is the publication of multiple SPF records. While this may appear innocuous, such a misconfiguration can completely disrupt SPF validation, resulting in issues with email deliverability and failures in DMARC.

This guide outlines the problems associated with having multiple SPF records, provides guidance on how to determine if your domain is impacted, and offers recommendations for establishing a valid and optimized SPF configuration.


What Is an SPF Record?


An SPF record is a specific category of DNS TXT record that informs receiving mail servers about the IP addresses or services permitted to send emails on behalf of your domain.

Here’s what a typical SPF record looks like:

v=spf1 include:_spf.google.com ip4:192.168.0.1 ~all

This tells mail servers:

  • Use Google’s SPF rules

  • Allow a specific IP

  • Soft-fail (~all) any unauthorized servers



multiple-spf-records



Why Multiple SPF Records Are Invalid


A domain can have only a single SPF TXT record according to DNS standards. If multiple SPF records are published for a domain, the SPF validation process will automatically fail, even if each individual record is accurate.

Example of a Broken SPF Setup:

dns

TXT "v=spf1 include:_spf.google.com ~all"

TXT "v=spf1 include:mailgun.org ~all"

While each record is individually valid, their collective presence undermines the validity of the others.

Correct Way to Combine:

dns

TXT "v=spf1 include:_spf.google.com include:mailgun.org ~all"

Combining the includes helps maintain SPF functionality, thereby safeguarding the integrity of your domain’s authentication.


How to Detect Multiple SPF Records


Use Online SPF Check Tools:

  • MXToolbox SPF Record Lookup

  • Kitterman SPF Validator

  • Google Admin Toolbox CheckMX

These tools will identify the presence of "Multiple SPF records found" as a significant issue and will present the conflicting records for review.



multiple-spf-records-1



What to Do Instead of Publishing Multiple SPF Records


  1. Merge Records into a Single SPF Entry

When utilizing several email service providers (such as Google Workspace, SendGrid, or Mailgun) to send emails from your domain, it is advisable to consolidate their configurations by employing include: tags within a single TXT record.

Example:

dns

v=spf1 include:_spf.google.com include:sendgrid.net include:mailgun.org ~all

The appropriate include: value will be specified in the documentation provided by each provider.

  1. Remove Duplicate or Legacy SPF Entries

Sometimes, old SPF records linger in DNS. Clean up your records:

  • Remove any outdated SPF TXT entries

  • Ensure only one valid SPF TXT record exists under your root domain

  1. Stay Below the 10 DNS Lookup Limit

The SPF protocol imposes a strict maximum of 10 DNS lookups, including mechanisms such as include:, a, mx, and others. Surpassing this threshold results in a Permanent Error (PermError), which consequently disrupts DMARC compliance.

 To Avoid It:

  • Use SPF flattening services (e.g., EasyDMARC, SPF-Record, Dmarcian)

  • Remove unused includes

  • Prefer ip4: or ip6: over include: when possible

  1. Use Redirect for Subdomains (If Needed)

When setting up SPF records for subdomains and aiming to utilize the SPF configuration from your main domain, consider employing the redirect= mechanism instead.

Example:

dns

v=spf1 redirect=example.com

This keeps SPF consistent across multiple zones.


How to Test Your SPF After Fixing


Once you publish the corrected SPF record:

  • Use SPF validators (MXToolbox, Kitterman, DMARC Analyzer)

  • Send test emails to Mail-Tester.com or GlockApps

  • Check SPF headers in Gmail via Show Original

Look for: spf=pass

Having multiple SPF records can significantly undermine your email deliverability and authentication efforts. Rather than creating individual SPF entries for each service provider, it is advisable to consolidate them into a singular, well-structured SPF record. Pay attention to the use of includes, monitor your lookup limits diligently, and conduct regular audits of your DNS settings.

By steering clear of this frequent error, you can prevent your emails from being filtered as spam, uphold compliance with DMARC standards, and reinforce your brand's credibility. For more details, kindly visit the Autospf website.