SPF Multiple Records: Why You Can Only Have One and How to Fix It
Learn why having multiple SPF records breaks email authentication, how to detect this common mistake, and how to merge multiple SPF records into one.
One of the most common SPF mistakes is publishing multiple SPF records for the same domain. According to the SPF specification, a domain must have exactly one SPF record—having two or more causes authentication to fail.
The Problem: Multiple SPF Records
When a domain has multiple SPF TXT records, receiving servers don't know which one to use. The SPF specification (RFC 7208) states that multiple records result in a "permerror" (permanent error), which typically causes SPF to fail.
Having multiple SPF records doesn't mean receivers pick one—it means SPF fails completely for your domain.
How This Happens
Multiple SPF records usually occur when:
1. Adding Services Without Merging
You have:
v=spf1 include:_spf.google.com ~all
Then you add an email marketing platform and create:
v=spf1 include:sendgrid.net ~all
Now you have two SPF records, and both are ignored.
2. Different Team Members Making Changes
IT sets up one record, marketing adds another, and neither realizes the conflict.
3. Following Multiple Setup Guides
Service A says "add this SPF record" and Service B says "add this SPF record"—both meant to be merged into your existing record.
4. Migration Not Cleaned Up
After switching email providers, the old record remains alongside the new one.
How to Detect Multiple SPF Records
Using DNS Lookup Tools
Query your domain's TXT records:
# Using dig
dig +short TXT example.com | grep spf
# Using nslookup
nslookup -type=TXT example.com
If you see multiple lines starting with v=spf1, you have a problem.
What Multiple Records Look Like
Bad (two SPF records):
example.com. 300 IN TXT "v=spf1 include:_spf.google.com ~all"
example.com. 300 IN TXT "v=spf1 include:sendgrid.net ~all"
Good (one SPF record with both):
example.com. 300 IN TXT "v=spf1 include:_spf.google.com include:sendgrid.net ~all"
How to Merge SPF Records
Identify all existing SPF records
List every SPF TXT record currently published for your domain.
Extract all mechanisms
Pull out all the include, ip4, ip6, a, and mx mechanisms from each record.
Combine into one record
Create a single record containing all necessary mechanisms.
Choose the most restrictive qualifier
Use -all (hardfail) or ~all (softfail) at the end—only once.
Delete old records and publish new one
Remove all old SPF records and publish only the merged one.
Merging Example
Before (broken):
v=spf1 include:_spf.google.com ~all
v=spf1 include:sendgrid.net ~all
v=spf1 ip4:192.0.2.1 ~all
After (correct):
v=spf1 include:_spf.google.com include:sendgrid.net ip4:192.0.2.1 ~all
Watch the Lookup Limit
When merging, remember SPF has a 10 DNS lookup limit. Each include, a, mx, ptr, and exists mechanism counts as a lookup.
| Mechanism | Lookup Count |
|---|---|
| include: | 1 + lookups in included record |
| a | 1 |
| mx | 1 |
| ip4: | 0 (no lookup needed) |
| ip6: | 0 (no lookup needed) |
If your merged record exceeds 10 lookups, you need to:
- Use IP addresses instead of includes where possible
- Consider SPF flattening services
- Evaluate if all mechanisms are necessary
Common Services to Merge
Here are SPF includes for popular services:
| Service | SPF Include |
|---|---|
| Google Workspace | `include:_spf.google.com` |
| Microsoft 365 | `include:spf.protection.outlook.com` |
| SendGrid | `include:sendgrid.net` |
| Mailchimp | `include:servers.mcsv.net` |
| Amazon SES | `include:amazonses.com` |
| Mailgun | `include:mailgun.org` |
| Postmark | `include:spf.mtasv.net` |
| HubSpot | `include:_spf.hubspot.com` |
| Salesforce | `include:_spf.salesforce.com` |
| Zendesk | `include:mail.zendesk.com` |
Example combined record:
v=spf1 include:_spf.google.com include:sendgrid.net include:servers.mcsv.net ~all
Updating DNS
In Common DNS Providers
Cloudflare:
- Go to DNS settings
- Find existing TXT records with SPF
- Delete all but one
- Edit the remaining record with merged content
GoDaddy:
- Go to DNS Management
- Find TXT records
- Delete duplicates
- Update the single remaining SPF record
Route 53:
- Go to Hosted Zones
- Find your domain
- Edit/delete TXT records
- Ensure only one SPF record exists
DNS changes can take up to 48 hours to propagate globally, though most complete within a few hours.
Verifying the Fix
After merging:
- Wait for propagation — Give DNS time to update
- Check the record — Verify only one SPF record exists
- Test SPF — Use an SPF checker to validate syntax
- Send test emails — Verify SPF passes in email headers
Preventing Future Issues
Document Your SPF Record
Keep a record of:
- What services are included
- Why each mechanism exists
- Who is responsible for changes
Process for Adding Services
When adding a new email service:
- Get their SPF requirements
- Add to your existing record (don't create new)
- Test before going live
- Document the change
Regular Audits
Quarterly, check that:
- Only one SPF record exists
- All mechanisms are still needed
- Total lookups remain under 10
- Record syntax is valid
What About SPF for Subdomains?
Each subdomain can have its own SPF record. Having SPF records at both example.com and mail.example.com is fine—they're different domains.
example.com TXT "v=spf1 include:_spf.google.com ~all"
mail.example.com TXT "v=spf1 include:sendgrid.net ~all"
This is valid because they're separate domains.
Related SPF Problems
SPF Record Not Found
If you have no SPF record, create one. Don't create multiple.
SPF Record Too Long
TXT records have a 255-character limit per string, but you can concatenate strings:
"v=spf1 include:_spf.google.com include:sendgrid.net " "include:servers.mcsv.net include:amazonses.com ~all"
Most DNS providers handle this automatically.
Too Many DNS Lookups
If merging pushes you over 10 lookups:
- Replace includes with IP ranges where possible
- Use SPF flattening
- Evaluate if you need all services
Check Your SPF Configuration
Verify you have exactly one SPF record and that it's configured correctly.
Multiple SPF records is a common and easily fixable mistake. Merge your records into one, verify the fix, and implement processes to prevent it from happening again.