Bulk email verifier is the need of every business that collects email(s), irrespective of its size and nature. Maintaining a healthy email list brings good...
Are your emails constantly landing in spam folders or being rejected? Your domain’s multiple SPF records might be the cause of the issue. Unfortunately, despite being a common issue, SPF configuration mistakes aren’t easy to spot unless you know where to look and when to do it. So, what exactly is an SPF record? A Sender Policy Framework (SPF) record is a TXT record in your Domain Name System (DNS) that lists all the authorized servers allowed to send emails on your domain’s behalf. But while SPF is designed to protect your domain from being used in spoofing and phishing attacks, having more than one SPF record will negatively impact your email deliverability. In this article, we’ll discuss why multiple SPF records are problematic, how to check for multiple SPF records, and how to resolve them to ensure your emails reach intended inboxes.
Is it Okay to Have Multiple SPF Records?
It’s not okay to have multiple SPF records. The RFC 7208 SPF standard guidelines clearly state that there should only be a single record per domain.
When a receiving mail server checks your domain’s DNS and finds multiple TXT records that begin with “v=spf1” (the SPF record identifier), it won’t know which one to trust. As a result, all emails sent from or on behalf of your domain will have a permanent error (PermError) SPF authentication failure. This validation failure will cause your emails to bounce or be flagged as spam, even when they are legitimate. Fortunately, you can merge the different records into one comprehensive record that includes all authorized senders. But before we discuss how to fix your multiple SPF records configurations, let’s cover how to check for multiple SPF records.
How to Check for Multiple SPF Records?
To avoid the email deliverability issues that come with misconfigured SPF records, it is important to confirm whether your domain has multiple SPF records. Here are three reliable methods you can use to check for multiple SPF records.
Use online SPF record checkers
Using SPF validation tools is one of the quickest and easiest ways to check for multiple SPF records. Some of the trusted SPF record checkers include:
- MXToolbox SPF Check
- EasyDMARC SPF Checker
- DMARC Analyzer SPF Record Check
- DMARCLY SPF Record Checker
- Kitterman’s SPF Record Testing Tool
For most of these online tools, you just need to enter a single domain name into the designated field on the tool’s website and click the action button to initiate the SPF record check.
The tool will perform a DNS lookup for your domain’s TXT records. It will then analyze these records to see if any start with the SPF record identifier, v=spf1. Most checker tools will explicitly state if they have found more than one SPF record for your domain. For example, a tool might display a message like “multiple SPF records found” or list each SPF record it has detected separately.
Check DNS records manually
If you have access to your DNS settings through your domain registrar or hosting provider’s DNS management platform, you can identify TXT records associated with your domain. Look for records that begin with v=spf1. If you see more than one v=spf1 record, then it means your domain has duplicates. You can also confirm if multiple records exist due to different active email service providers or outdated configurations. Doing this will help you determine what records need to be removed and which ones need to be merged into a single valid SPF record.
Use command-line tools
If you are tech-savvy, you can run a simple DNS query using terminal or command prompts. Use dig (on Linux and macOS) and nslookup (on Windows):
- For dig: dig TXT yourdomain.com
- For nslookup: nslookup -type=TXT yourdomain.com
Once you run the prompts, you will get a list of all SPF records for your domain. If you see more than one SPF record, then it means you have duplicates that either need to be merged or removed to ensure SPF standards compliance and email delivery. Run occasional SPF checks to keep your SPF record RFC 7208 compliant. Also, always check your domain’s DNS TXT records before adding a new SPF entry, align all teams or email administrators managing your DNS to avoid duplicate entries, and maintain a clear record of authorized senders. You can use an AI platform like Writer to generate clear and RFC 7208-compliant internal guides about SPF record configuration or troubleshooting in minutes. Such resources will go a long way in ensuring everyone with access to your DNS settings is on the same page.
How to Merge Multiple SPF Records?
So, you’ve confirmed you have multiple SPF records. How do you go about merging them into a single record? Let’s break down how to merge key mechanisms of your SPF entries into one functional and compliant record.
“include” mechanisms
The “include” mechanism allows your SPF record to authorize third-party services like email marketing platforms to send emails on your domain’s behalf. For instance, if you use Google Workspace to send business emails and GetResponse to run email newsletter campaigns, you might initially have two separate SPF records like: v=spf1 include:_spf.google.com ~all v=spf1 include:_spf.getresponse.com ~all But, since you can’t have multiple SPF records or simply copy and paste one TXT record into another, you will need to merge all of them into a single record, as shown below. v=spf1 include:_spf.google.com include:_spf.getresponse.com ~all Remember, each “include” directive counts toward the 10 DNS lookup limit. Therefore, limit the number of “include” mechanisms you need to add.
“ip4” and “ip6” mechanisms
The “ip4” and “ip6” mechanisms in SPF records allow you to authorize specific IP addresses or ranges that can send emails on behalf of your domain. When your domain has multiple SPF records, each one might specify a different IP address or addresses using “ip4” or “ip6”. v=spf1 ip4:203.0.113.5 ~all v=spf1 ip4:198.51.100.8 ip6:2001:db8::2 ~all When you merge them correctly, the record should look as shown below. v=spf1 ip4:203.0.113.5 ip4:198.51.100.8 ip6:2001:db8::2 ~all This SPF record tells mail servers that emails 203.0.113.5 and 198.51.100.8 (both IPv4), and 2001:db8::2 (IPv6) are legitimate.
“a” and “mx” mechanisms
The “a” and “mx” mechanisms in SPF records allow email servers to authenticate senders based on domain-related configurations.
- The “a” mechanism tells mail servers to trust the IP addresses associated with the domain’s A (IPv4) record.
- The “mx” mechanism authorizes email servers specified in the domain’s MX records to send emails on your behalf
Here’s an example of a merged “a” and “mx” record v=spf1 a mx ip4:192.168.1.1 include:_spf.example.com -all The two only appear once at the beginning of the record. Ensure the “a” mechanism aligns with your current domain’s IP. Also, if your domain’s MX records only handle inbound mail services (receiving emails but not sending them), then you don’t have to include “mx”. You can just stick to “include” directives that list the authorized sender domains.
New SPF record implementation
Once you’ve successfully merged multiple SPF records into one valid record, the next step is to implement it properly in your domain’s DNS settings. Start by logging into your DNS hosting provider (GoDaddy, Cloudflare, DreamHost, Namecheap, etc.). From the dashboard, navigate to the DNS management section where you can view or edit DNS records. If there are multiple v=spf1 entries, replace them with the new merged version, double-check the structure, and save the changes. If there is no SPF record, go ahead and create a new TXT record. After saving your new SPF record, you’ll need to wait for DNS propagation, which can take up to 48 hours depending on your provider. The actual process of updating your DNS records may also vary based on the DNS hosting provider.
Best Practices For Merging Multiple SPF Records
Here are two of the best practices to follow when combining SPF records:
Maintaining DNS lookup limits
SPF records have a limit of 10 DNS lookups. A DNS lookup refers to the number of times the receiving mail server queries external DNS records to verify authorized email senders. Every “include”, “a”, “mx”, or other mechanism that triggers a DNS query counts toward this limit. If the SPF configuration exceeds 10 lookups, the email fails SPF authentication with a PermError. To keep your combined record within the domain lookup limit:
- Limit the number of “includes”
- Remove unused or outdated services.
- Use tools like MXToolbox or Kitterman SPF validator to test your lookup counts.
You can also choose to flatten your SPF record by directly listing all the IP addresses included in the third-party services’ active records instead of using the “include” mechanism. However, this is only a good idea if you create a great system for monitoring and keeping the IP address list up-to-date in your SPF record.
Following character limits in SPF records
SPF records have a 255-character limit per string. This means that each part of an SPF record cannot exceed 255 characters. If your SPF record is longer than 255 characters, you can split it into multiple strings, as shown below. “v=spf1 ip4:203.0.113.5 include:_spf.service1.com” ” include:_spf.service2.com -all” DNS servers will automatically combine these separate strings into a single string when processing them. However, some email servers may misinterpret split records, which is why it’s recommended to keep SPF records as short as possible by avoiding redundant entries and mechanisms.
Conclusion
Having multiple SPF records will hurt your email deliverability and sender reputation. But while some entries can be removed, if they’re unnecessary, redundant, or outdated, some are crucial, and the best course of action is to merge them into a single entry. To keep your merged SPF record RFC 7208 compliant, ensure it stays within the DNS record lookup and character string limits. Also, run occasional SPF checks and align all teams managing your DNS settings to avoid duplicate entries.
