Multiple SPF records for one email domain

Pros and cons of creating more than one SPF send policy framework record

Is it ideal to have multiple SPF records on the same domain? This is one of the questions email experts ask during email authentication. What is the answer? The response is no, as SPF will fail with a PermError if a domain contains multiple SPF records.

What is SPF?

Sender Policy Framework (SPF) is a protocol you can use to authenticate emails. This Framework helps shield senders and recipients from spam, spoofing, and phishing. It makes use of a TXT-type record.

A DNS TXT record contains sensitive information that is outside your domain, and you can add them to the domain registrar.

In this article, you will discover how to prevent typical SPF problems and the do's and don'ts of multiple SPF records. You will also learn how to check the SPF existing in your domain.

Don't Use Multiple SPF records!

Making sure to utilize one SPF record for one domain has historically been one of the best methods, to begin with, email authentication. The use of multiple domain names will trigger an authorization check to choose more than one record. To prevent the recipient server from rejecting a domain name, it MUST NOT have multiple records.

Imagine a new email service provider, such as Mailgun, requests that you set up an SPF record. However, you generated a new record for Gmail even though you already had an active one. In the end, you have the following two SPF entries:

v=spf1 include:_spf.google.com ~all
v=spf1 include:mailgun.org ~all

Be aware that attempting SPF authentication with multiple SPF records will fail. You might have to check the existence of SPF records first to avoid this.

How to Check SPF Records Existence

SPF Record Check offers a thorough analysis of the SPF record. Utilizing a special tool is the most effective technique to verify an SPF record for your domain. Utilize MXToolBox's SPF record checker. Simply click the button after entering your IP address or domain name. Additional information can be checked, including MX records, DNS, sender reputation, and much more.

SPF Record Lookup by Easy DMARC and the Look-Up SPF records by Agari are further options. Both display the record as being genuine and offer details on the number of DNS querying mechanisms and permitted IP addresses.

Checking the SPF Record Manually

On the other hand, you can typically check the record using nslookup. To get started with this, on your command line enter:

nslookup -type=txt <domain-name>

An example showing the response from a nslookup command.

$ nslookup -type=txt mailslurp.com
Server:                192.168.1.1
Address:        192.168.1.1#53

Non-authoritative answer:
mailslurp.com        text = "v=spf1 include:_spf.google.com include:sendgrid.net include:smtp1.uservoice.com ~all"

This command should provide a single SPF answer, but what should you do if more than one SPF record is discovered in a domain?

What You Should Do If You Find Multiple SPF Records in Your domain?

Now, if you use Gmail or Microsoft Exchange, the duplicate SPF record problem ought to be resolved automatically. Aside from these top email networks, you'll probably have to manage this by yourself. Merging your two DNS TXT entries into a single one is one of the best solutions for this.

To achieve this, expand the newly added entry with the information from the previous entry as follows:

v=spf1 ip6:2001:4860:4000::/37 include:_spf.google.com ~all

Note: If you will be merging multiple SPF records, use v=spf1 only once in the beginning and all only once at the end.

Top Best Practices for Properly Handling SPF Records

For merging, using the correct syntax for multiple SPF records is crucial, but there are other vital considerations as well.

  • A maximum of ten mechanisms and modifiers may be used to do DNS lookups. Therefore, be sure that your final SPF record won't surpass the maximum of 10 allowed DNS queries whenever you add a new email service provider.
  • Include, a, MX, ptr [deprecated], exists, or redirect, will each result in one lookup. The SPF authentication will fail if this amount is exceeded.
  • Does more than ten IP addresses, for instance, require the creation of an SPF? The limit number does not apply to mechanisms like all, ip4, and ip6, which do not need DNS lookups.
  • Ensure you pay attention to nested "include" constructs because each "include" statement necessitates a DNS query based on its own SPF data.
  • Observe the 255-character restriction for single strings. The 255-character maximum cannot be exceeded, although your text DNS record may be divided.

Conclusion

One of the factors for reliable email delivery is a properly established SPF record. The "include" or "redirect" modifiers in an SPF record can typically lead to DNS lookups exceeding the 10-limit if they are used carelessly. An SPF check will be rejected if you go over this limit.

For help with SPF records and custom email domains create a free MailSlurp account. MailSlurp is an email API provider that can generate unlimited email addresses on demand for any custom domain. It supports all Mailserver records such as DKIM, SPF, DMARC and more.