Multiple SPF records? Don’t do it!
This comprehensive guide explores the perils of duplicate SPF entries and how to fix them for email security and deliverability. Discover why multiple records break authentication, how to merge sources, SPF syntax and limits, tools to detect issues, and more best practices for proper SPF configuration.
What are SPF Records and How Do They Work?
Definition and Purpose of SPF Records
SPF records are a key component of any email security strategy. SPF stands for Sender Policy Framework, and it’s a method for authenticating the sender of an email by verifying the source IP address against authorized servers listed in DNS.
The purpose of SPF is to prevent email spoofing, forgery, and impersonation. It gives recipient servers a way to validate the origin of a message by checking that the sending server is authorized to send emails from that domain.
SPF works by publishing a DNS TXT record that lists the permitted sending IPs and hosts for a domain. For example, an SPF record for company.com might look like:
v=spf1 ip4:192.0.2.10 ip4:198.51.100.56 include:_spf.google.com -all
This authorizes 192.0.2.10, 198.51.100.56, and anything allowed by Google to send as company.com.
When an email arrives claiming to be from company.com, the receiving mail server retrieves the SPF record and checks that the source IP matches. If it’s not in the list, the mail server will reject the message as fraudulent.
That’s the basics of how SPF verification works to stop spoofing and ensure delivery of legitimate mail. Next let’s look at the syntax format.
SPF Record Format and Syntax
SPF records have a defined syntax and format that receiving servers rely on to interpret them correctly:
- The record is a TXT type in DNS
- Must start with “v=spf1”
- Followed by mechanisms and modifiers:
- “include” to reference other domains’ records
- “ip4” and “ip6” to list allowed IP addresses
- “a” and “mx” to check domain A and MX records
- “~all”, “-all”, “?all” to specify how unknown IPs are handled
- Limited to maximum of 10 DNS lookups
- Keep under 255 characters per string
Some examples:
v=spf1 ip4:192.0.2.10 include:otherdomain.com -all
v=spf1 ip4:198.51.100.0/24 mx:mailserver.company.com ~all
Following this defined structure allows receiving mail servers to reliably fetch and parse SPF records during the authentication process. Deviating from the format will cause issues.
Now let’s examine how servers perform SPF checks using these records.
How SPF Authentication Works
When an email is received, the mail server initiates an SPF check to verify the sender:
- Extract the domain from the “MAIL FROM” address in the envelope sender. For example, company.com.
- Look up the SPF record for this domain in DNS.
- Parse mechanisms like “ip4” and “include” to build a list of authorized servers.
- Check if the source IP of the email matches the IPs in the SPF record.
- If there is a match, the check passes and the message is authenticated.
- If no match, the check fails and the mail server applies the record’s fail policy, either rejecting the message or marking it suspicious.
- If “include” statements are present, repeat the process on those domains to recursively build the list of allowed IPs.
- Limit DNS queries to 10 including lookups from includes. More than 10 is a permanent error.
Once the process completes, the receiving mail server will allow or reject delivery accordingly.
Some key points:
- SPF checks verify the “MAIL FROM” envelope address, not the visible From: address.
- Only authorized servers will pass SPF and be allowed to deliver mail for a domain.
- Invalid senders spoofing a domain will fail and be blocked or filtered by SPF.
- SPF prevents spoofed mail while allowing legitimate mail from approved sources.
With a valid SPF record, senders can ensure their outbound mail passes authentication and reaches the recipient inbox. That covers the key aspects of how SPF records work to protect domains from spoofing and impersonation.
Why You Should Not Have Multiple SPF Records
Multiple Records Cause Authentication Failure
The most important reason not to have multiple SPF records is that it will cause authentication failures.
The SPF specification explicitly prohibits multiple records, stating that:
A domain name must not have multiple records that would cause an authorization check to select more than one record.
This means if a domain has two or more TXT records starting with “v=spf1”, they will interfere with each other during SPF checks.
When a receiving server looks up the SPF record, it will see two or more results and be unable to determine which one to use. As a result, the SPF check will permanently fail and return “PermError”.
For example, if a domain had:
v=spf1 include:server1.com
v=spf1 include:server2.com
The SPF check would always fail with PermError, blocking all legitimate mail from being delivered.
So having multiple SPF records breaks the authentication process and prevents any email from passing checks. This will severely damage email deliverability.
Difficulty Detecting the Issue
Another problem with multiple SPF records is that the issue can be difficult to detect.
When there are two or more records, each one will appear valid when inspected individually. For example:
v=spf1 include:server1.com -all
This seems like a proper SPF record. But together with a second record, it would cause PermError.
Since the DNS system itself allows creating multiple TXT records, there’s nothing to prevent someone from adding a new record without realizing one exists.
Unless you run a specific SPF record check, it’s easy to overlook multiple entries causing authentication failures. The only symptom might be emails getting blocked or marked as spam.
Actively monitoring for multiple records is important to avoid unpredictable deliverability issues.
Workarounds Exist Within a Single Record
Finally, the other key reason not to use multiple SPF records is that workarounds exist within a single record.
If you need to authorize multiple servers or include other domains, this can be achieved using “ip4”, “include” and other mechanisms within one SPF record.
For example:
v=spf1 ip4:192.0.2.10 ip4:198.51.100.56 include:otherdomain.com -all
This covers two IPs and a reference to another domain in one valid record. No need for multiples.
So in summary:
- Multiple SPF records are prohibited and break authentication.
- The issue can be hard to detect unless explicitly checked.
- Alternatives exist to include multiple servers within one record.
For reliable deliverability, domains should maintain a single consolidated SPF record referencing all required sending sources.
When Would You Need Multiple SPF Sources?
While multiple SPF records themselves are prohibited, there are valid reasons you may need to reference multiple sending sources within a single SPF record. Common scenarios include:
Using Multiple Email Service Providers
Many businesses rely on external email service providers to handle subsets of their email. For example:
- Using Gmail or Office 365 for internal communication
- Leveraging SendGrid for marketing campaigns
- Sending transactional email through Mailgun or Amazon SES
Each of these services will have their own dedicated IPs for sending your mail. To ensure deliverability, their servers need to be authorized in your SPF record.
For example, you may have:
- G Suite SPF record: include:_spf.google.com
- SendGrid SPF record: include:sendgrid.net
- Mailgun SPF record: include:mailgun.org
Rather than creating multiple SPF records for each provider, you can consolidate them into one record using “include” statements:
v=spf1 include:_spf.google.com include:sendgrid.net include:mailgun.org -all
Now mail from all three services will be authorized, without needing multiple records.
Having Multiple Mail Servers
Similarly, larger companies often operate their own on-premise mail servers in addition to cloud email services.
For example, you may host mail for:
- HR department on Exchange servers
- Sales on Postfix/Sendmail Linux servers
- Support on a legacy AIX mail system
All these internal servers will have distinct IP ranges in your infrastructure. But they can be merged into a single SPF record:
v=spf1 ip4:192.168.1.0/24 ip4:192.168.2.0/24 ip4:198.51.100.0/28 -all
Rather than an SPF record for each location, consolidate everything into one list of subnet ranges.
Merging Domains and Infrastructure
Finally, you may need to authorize multiple SPF sources when merging corporate domains and IT infrastructure.
For example, Acme Co acquires Widget Corp and hosts mail for widgetcorp.com on Acme’s servers. The consolidated SPF record would include:
- Acme’s IPs and domains
- Any of Widget Corp’s previously authorized servers
- References to domains owned by both companies
This allows a smooth email transition during mergers and acquisitions as the SPF policies are unified.
The key in all these scenarios is to remember that while multiple SPF sources are needed, they must be consolidated into a single DNS record. The sources themselves can be referenced with “include”, IP lists, and other mechanisms.
With proper planning, complex infrastructure can be streamlined into a valid policy that authorizes all required sending servers.
How to Validly Include Multiple SPF Sources
While multiple SPF records are prohibited, there are valid ways to reference multiple sending sources within a single record.
Using the Include Mechanism
The “include” mechanism allows importing other domains’ SPF records:
include:<domain>
For example, to utilize G Suite’s SPF record:
include:_spf.google.com
When a receiving server sees this, it will recursively resolve _spf.google.com to fetch its SPF record, parse it, and add those IPs to the allowed senders list.
The major benefit of include is that it automatically inherits any changes or additions to the other domain’s policy. You don’t need to manually update your SPF if Google authorizes new servers.
However, there is a limit of 10 total DNS lookups per SPF check, including lookups from includes. So you need to budget for includes accordingly.
nested include – reducing total lookups to 9:
v=spf1
include:secondarydomain.com # 2 lookups
include:thirdleveldomain.com # 3 lookups
ip4:192.0.2.10 # 4 lookups
-all
So use includes strategically to reference other SPF records without exceeding the lookup limit.
Listing Multiple IP Addresses
For specifying individual IPs, you can include multiple entries in the “ip4” and “ip6” lists:
ip4:192.0.2.10 ip4:198.51.100.50 ip4:203.0.113.75
This explicitly permits those 3 IPv4 addresses to send mail as your domain.
For IPv6:
ip6:2001:db8::1 ip6:2001:db8::2
You can also specify CIDR ranges to authorize subnets:
ip4:192.0.2.0/24 ip4:198.51.100.0/28
And combine individual IPs and ranges as needed within the limits of the record syntax.
No DNS lookups are triggered by IP lists, so you can add these liberally without impacting your total lookup budget.
Adding Multiple Domains
To authorize other domains, use the “a” and “mx” mechanisms:
a:server1.example.com mx:mail.example.net
This allows the IPs specified by the A record of server1.example.com and the MX record of mail.example.net to send mail.
Again, each domain reference counts as a DNS lookup. But for a limited number of entries, “a” and “mx” provide an alternative to listing IPs manually.
In summary, “include”, IP lists, and domain references provide flexible options to consolidate multiple senders into a valid SPF record. Get creative within the syntax rules to authorize your email infrastructure.
SPF Record Limits and Considerations
When consolidating multiple sources into an SPF record, be aware of key limits and syntax requirements.
10 DNS Lookup Limit for SPF Checks
The SPF specification enforces a maximum of 10 DNS lookups during a single SPF check, including the initial lookup of your domain’s published record.
Lookups triggered by:
- The “include” mechanism
- “a” and “mx” domain checks
- Any nested “include” statements in referenced SPF records
All count against the limit. If a check exceeds 10 lookups, it terminates with a permanent error.
For example, this would exceed the limit:
v=spf1
include:secondarydomain.com # Lookup 1
include:thirdleveldomain.com # Lookup 2
include:fourthdomain.com # Lookup 3
ip4:192.0.2.10 # Lookup 4
-all
The 4 includes result in 10 total lookups, hitting the cap.
To avoid this, reduce nested lookups and consolidate sources. For example:
v=spf1
include:secondarydomain.com # Lookup 1
ip4:192.0.2.10 # Lookup 2
ip4:198.51.100.8 # Lookup 3
-all
Now within the 10 limit despite multiple sources.
If your SPF record unavoidably exceeds 10 lookups due to complexity, consider using SPF flattening tools to reduce nested includes.
Watching Out For Nested Includes
One cause of exceeding the lookup limit is nested includes several layers deep. For example:
Your SPF:
include:secondary.com
secondary.com SPF:
include:thirdlevel.com
thirdlevel.com SPF:
include:fourthlevel.com
Each include triggers another lookup. So even if your SPF only has 1-2 includes, you could be unintentionally adding 4+ lookups when nested records are processed.
Carefully evaluate any SPF records you include to understand the full lookup chain. Favor includes to domains with simpler SPF policies to minimize lookups.
Following Proper Syntax
Finally, be vigilant about following proper SPF record syntax and structure. Key requirements:
- Start with “v=spf1”
- Limit text strings to 255 characters
- Don’t exceed 10 lookups
- End with “all”, “a”, “~all” or similar
- Use valid mechanisms only: include, a, mx, ptr, ip4, ip6
Tools like SPF record validators will check syntax and prevent formatting issues from breaking your record.
With attention to these limits and best practices, complex infrastructure can be streamlined into a consolidated and compliant SPF record.
Checking for Multiple SPF Records
To avoid SPF authentication issues, you should periodically check your domains for multiple SPF records. Here are some methods:
Using Online SPF Checking Tools
The easiest way to validate your SPF configuration is using online checking tools:
- DMARCLY SPF Checker – Checks syntax, identifies multiple records
- MXToolbox SPF Lookup – Comprehensive SPF analysis and record validation
- Agari SPF Record Check – Checks SPF syntax and lookups
These tools query your domain’s DNS for SPF records, parse and evaluate them, and return a report with any errors found.
For multiple SPF records, the tools will clearly warn that they’ve detected more than one “v=spf1” entry under your domain. Some provide specific guidance on merging records.
Online checkers offer a quick and reliable way to audit your SPF configuration. Running checks regularly prevents accidental SPF misconfigurations from going unnoticed.
Manual Checking with Dig and Nslookup
You can also manually examine your domain’s SPF records using DNS lookup tools like dig
and nslookup
.
With dig
, query for the TXT records and inspect the entries:
$ dig txt example.com
;; ANSWER SECTION:
example.com. 3600 IN TXT "v=spf1 -all"
example.com. 3600 IN TXT "v=spf1 include:otherdomain.com -all"
Any additional TXT records starting with v=spf1
indicate duplicate SPF records.
Similarly, nslookup -type=txt
will list all TXT records and their values:
$ nslookup -type=txt example.com
Non-authoritative answer:
example.com text = "v=spf1 -all"
example.com text = "v=spf1 include:otherdomain.com -all"
Checking manually gives you visibility into the raw SPF records without relying on a third-party tool.
Monitoring and Alerts
Finally, consider setting up ongoing monitoring and alerts for your domain’s SPF records.
Services like DMARCLY provide SPF change detection and can email notifications if an issue like multiple records is found.
Enabling monitoring ensures that any DNS misconfigurations are caught early before they can disrupt email delivery and authentication.
With regular automated checks, accidental SPF record duplicates can be identified and fixed before they cause problems.
Staying on top of your SPF configuration is important – leverage online tools, manual checks, and monitoring to avoid overlooked issues.
Fixing Multiple SPF Records
If you discover multiple SPF records for your domain, here are the steps to correctly merge and consolidate them:
Merging Multiple Records into One
When duplicate SPF records are found, they must be merged into a single DNS entry.
For example, if these two records exist:
example.com IN TXT "v=spf1 -all"
example.com IN TXT "v=spf1 include:otherdomain.com -all"
Combine them into one:
example.com IN TXT "v=spf1 -all include:otherdomain.com -all"
Rules for merging:
- Only one
v=spf1
prefix - Nest
include
statements and IP mechanisms together - Finish with only one
all
mechanism - Check character limits and DNS lookup limits
You want a single SPF record with all required include
statements, IP lists, and domains consolidated.
For complex merges impacting multiple domains, plan changes carefully to avoid disrupting legitimate mail flows.
Steps to Update SPF Record in DNS
To update your SPF record in DNS:
- Login to your domain registrar or DNS hosting provider.
- Navigate to DNS record management and locate TXT records.
- Delete the duplicate SPF records, leaving only the single merged record.
- Modify the merged record as needed and save the changes.
- Allow up to 24 hours for DNS propagation.
Exact steps vary between different registrars and DNS systems. Refer to your provider’s documentation for specifics.
SPF changes should propagate globally within a day or two at most.
Confirming Resolution
Once you’ve updated your SPF records, confirm that only one remains:
- Re-check using online record validation tools.
- Inspect TXT records directly with
dig
ornslookup
. - Check that your emails are passing SPF authentication.
Monitoring tools can also automatically alert if duplicates reappear in the future.
Consolidating your records removes the duplicates and restores proper SPF functionality. Just be vigilant in ensuring the problem is fully resolved across all DNS servers worldwide.
With a clean SPF configuration, you can rest assured knowing your domain is protected from spoofing and your emails will be delivered reliably.
Multiple SPF Records – Do’s and Don’ts
When working with SPF records, keep these best practices in mind:
DO – Consolidate Sources into One Record
The golden rule is to consolidate all your authorized sending sources into a single SPF record.
Your one TXT entry can validate multiple IPs, domains, and includes – just avoid having multiple records themselves.
Regularly audit and update your SPF record to incorporate new sources rather than creating new records.
Keep the policy in a central place you revisit whenever infrastructure changes. Don’t let duplicates crop up on different subdomains or DNS systems.
DON’T – Exceed 10 DNS Lookups
Avoid exceeding the 10 DNS lookup limit imposed by the SPF specification.
Too many includes or nested includes are a common cause. Audit your dependencies and flatten when possible.
Also watch out for typos or redundant entries that waste lookups. Every mechanism should serve a purpose.
Staying under the limit ensures your record works reliably without hitting permanent errors.
DO – Use Online Tools to Validate
Leverage SPF checking and validation tools to audit your record. For example:
$ dig txt example.com +short
"v=spf1 ip4:192.0.2.10 include:otherdomain.com -all"
This verifies only one TXT record exists.
Online checkers also parse for syntax, character length, lookup limits, and other syntax issues that could break your SPF authentication.
Periodic checks give you confidence in your SPF config and catch any issues early.
Other Tips:
- Monitor your domains for unexpected SPF record changes.
- Understand lookup limits if using multiple levels of nested includes.
- Follow a change management process when modifying SPF records.
- Use reference tags like
ip4:
instead of full IP addresses to allow flexibility. - Comment complex records for future maintainers.
With care and best practices, you can avoid the pitfalls of multiple SPF records and implement a sound policy accommodating all your email sources.
Key Takeaway
Summary of Key Points
Maintaining a proper SPF record is essential to ensuring your emails are authenticated and delivered reliably.
The key points about using multiple SPF records:
- SPF records list authorized servers that can send email as your domain. They prevent spoofing.
- Multiple SPF records for the same domain break authentication and must be avoided.
- Instead, consolidate all senders into a single SPF record using “include”, IPs, and other mechanisms.
- Watch out for limits like the 10 maximum DNS lookups per SPF check when consolidating records.
- Use online tools and monitors to catch multiple records or other SPF issues proactively.
- If duplicates exist, merge them into one validated, optimized record.
- Regularly check your SPF configuration and update as email infrastructure evolves.
With attention and care, a properly configured SPF record can accommodate complex email environments without compromising deliverability.
Maintaining Valid SPF Configuration
Be vigilant about keeping your SPF record tuned over time:
- Review frequently and check after making changes.
- Monitor your DNS for unexpected modifications.
- Revalidate when adding or changing email domains, servers, and services.
- Optimize for minimum lookups and maximum relevance.
- Adjust policies and mechanisms as infrastructure evolves.
- Update references to domains if ownership changes.
- Consider automating alerts for configuration issues.
Keeping SPF records current reduces deliverability problems and protects your domain’s sending reputation.
Optimizing Email Deliverability
A valid, optimized SPF record is one component of overall email deliverability:
- Also implement DMARC and DKIM for multidimensional email security.
- Ensure your actual mail servers have strong IP reputations.
- Follow best practice guidelines for email content.
- Monitor inbox placement rates and fine-tune as needed.
- Use services to warm up new sending IPs over time.
With SPF, DMARC, DKIM, and other solutions working together, you can achieve excellent email deliverability and inbox placement while safeguarding your domain’s reputation.
Summary: Can You Have Multiple SPF Records?
- SPF records authorize servers that can send email on behalf of your domain to prevent spoofing.
- Having multiple SPF records for one domain breaks authentication and must be avoided at all costs.
- To include multiple senders, use “include”, IP lists, and other mechanisms within a single consolidated SPF record.
- Watch out for the 10 DNS lookup limit and reduce nested “include” statements.
- Use online tools to validate your SPF syntax and identify multiple records.
- If duplicate records exist, merge them into one compliant SPF policy.
- Monitor your DNS regularly for changes and make sure SPF stays up to date.
- Proper SPF configuration combined with DMARC and DKIM is key for email security and deliverability.
Frequently Asked Questions
Can I have two SPF records on my domain?
No, you can only have one SPF record per domain. Multiple records will break SPF authentication.
What should I do if I have multiple SPF records?
Consolidate all the sources from the duplicate records into a single SPF record. Delete the extra records until just one remains.
How do I include multiple authorized servers in my SPF record?
Use “include”, IP lists, and domain mechanisms within your one SPF record to add multiple authorized sources.
What is the limit on DNS lookups in an SPF record?
SPF checks are limited to 10 DNS lookups total. Exceeding this limit will cause permanent errors.
How do I avoid exceeding the 10 lookup limit?
Audit nested “include” statements and reduce them when possible. Flattening tools can help consolidate complex records.
Can SPF records be longer than 255 characters?
Yes, SPF values can span multiple 255 character strings within the DNS TXT record field.
How often should I check my SPF records?
Review your SPF record frequently, at least every few months. Also check after making infrastructure changes that impact your authorized email servers.
What’s the best way to validate my SPF record?
Use online SPF checking tools to parse your record and highlight any errors like multiple records or syntax issues.
What happens if my SPF record is invalid?
If your SPF record is improperly configured, emails from your authorized servers may fail SPF checks and be blocked or marked as spam.