Managing Email Deliverability Across Multiple ESPs

Using multiple email service providers? Learn how to manage SPF records, avoid authentication conflicts, and maintain deliverability when sending from multiple platforms.

Email Authentication

Most organizations use multiple services that send email — a marketing platform, a CRM, a support tool, a transactional email service. Each one needs to be properly authorized in your DNS records. The most common mistake: creating separate SPF records for each service instead of merging them into one.

The Multiple SPF Records Problem

Your domain can only have one SPF TXT record. If you add a second one (which is easy to do accidentally), the result is unpredictable — some receiving servers pick one record, some pick the other, and some return a permanent error.

Wrong Way

yourdomain.com TXT "v=spf1 include:_spf.google.com ~all"
yourdomain.com TXT "v=spf1 include:sendgrid.net ~all"

Two separate SPF records — this breaks authentication.

Right Way

yourdomain.com TXT "v=spf1 include:_spf.google.com include:sendgrid.net ~all"

One SPF record with all services included.

Check your domain — our checker flags multiple SPF records.

Managing Authentication for Multiple Services

SPF: One Record, All Services

Every service that sends email from your domain needs its include in your single SPF record:

v=spf1 include:_spf.google.com include:sendgrid.net include:spf.hubspot.com include:mail.zendesk.com ~all

Watch the 10-lookup limit — each include uses at least one lookup, and nested includes add more. If you're approaching the limit, consider using subdomains to split services.

DKIM: Separate Keys Per Service

Unlike SPF, DKIM allows multiple keys. Each service uses a different selector:

ServiceDKIM Selector Example
Google Workspacegoogle._domainkey.yourdomain.com
SendGrids1._domainkey.yourdomain.com
HubSpoths1._domainkey.yourdomain.com

Each selector points to a different DKIM key. There's no limit on the number of DKIM records — each service manages its own independently.

DMARC: One Policy for All

Your single DMARC record applies to all email from your domain regardless of which service sent it. Ensure alignment works for every service:

  • At least one of SPF or DKIM must align for each service
  • DKIM alignment is generally more reliable (especially for services that use their own envelope sender)

Check all your services at once

Run a free deliverability check on your domain. Verify that SPF, DKIM, and DMARC cover all your sending services.

Common Multi-ESP Scenarios

Marketing + Transactional

The most common setup: one platform for marketing email, another for transactional.

PlatformUse CaseAuthentication
MailchimpMarketing campaignsinclude:servers.mcsv.net + DKIM CNAME
PostmarkTransactional emailinclude:spf.mtasv.net + DKIM

Both need to be in your single SPF record. Both need separate DKIM records.

Business Email + Marketing + Support

A common three-service setup:

v=spf1 include:_spf.google.com include:servers.mcsv.net include:mail.zendesk.com ~all

Three includes plus their nested lookups can consume 8–10 of your 10 lookups. Monitor your lookup count carefully.

Adding a New Service

When someone on your team starts using a new tool that sends email:

1

Check the service's documentation

Find the SPF include value and DKIM setup instructions.

2

Add the SPF include

Update your existing SPF record — don't create a new one.

3

Set up DKIM

Add the service's DKIM records to your DNS.

4

Verify authentication

Send a test email through the new service and check headers for SPF, DKIM, and DMARC pass results.

5

Check lookup count

Verify your SPF record is still under 10 lookups after adding the new include.

Preventing Service Sprawl

Maintain an Email Sender Inventory

Keep a document listing every service that sends email from your domain:

ServicePurposeSPF IncludeOwner
Google WorkspaceBusiness emailinclude:_spf.google.comIT
MailchimpMarketinginclude:servers.mcsv.netMarketing
ZendeskSupportinclude:mail.zendesk.comSupport

Review this quarterly. Remove services that are no longer in use.

DMARC Reports Reveal Unknown Senders

DMARC aggregate reports show every IP that sends email as your domain. If you see unknown sources, someone may have added a new service without updating DNS. Review reports monthly to catch unauthorized senders.

Establish a Process

Create a simple process: "Before any team uses a new tool that sends email from our domain, notify IT to update DNS records." This prevents authentication gaps and keeps your SPF record accurate.