Sender Policy Framework (SPF) records are DNS entries that define the sources that can send emails as your domain. Setting up SPF records is essential because they prevent spammers from pretending to control your domain. Missing or incorrect entries will cause your outgoing emails to be rejected, because they'll appear to originate from an unauthorized source.
SPF is configured using simple TXT-type DNS records that list your authorized domains. When an email server receives a message with your domain in the "from" line, it'll retrieve the domain's SPF record to check that the sending server is included. The message won’t be delivered to the recipient’s inbox if it fails SPF authentication.
A common query around SPF is whether you can add multiple records to a single domain. This requirement arises when you have several email servers that send as the domain. The short answer is that SPF only supports one DNS record per domain, but that record can identify many different authorized sources. In this article, you’ll learn how to set this up and solve the problems surrounding multiple SPF records.
Can You Have More than One SPF Record?
A domain name must not have multiple records that would cause an authorization check to select more than one record.
An SPF record is a TXT record that targets the domain or subdomain you'll send emails as. Its value must start with
v=spf1; email servers match this prefix to identify the DNS entry as your SPF record.
If you have multiple TXT DNS entries that start with this prefix, email servers will immediately stop processing their SPF checks. SPF authentication will always fail, so there will be no servers authorized to send emails as your domain. Your messages will be rejected, which can be confusing to debug.
How to Add Multiple SPF Records?
Fortunately, the SPF spec does support a mechanism that creates the same effect as multiple SPF records. The single record for your domain can identify any number of authorized servers, either by IP address or domain name.
A simple SPF record looks similar to the following:
This authorizes the IP address
192.168.0.1 to send as your domain. The
-all at the end instructs mail servers to reject emails from sources that haven't been listed.
To authorize an additional server, simply add its entry into the list between the
v=spf1 prefix and your closing
Now there are two servers that can send email. Messages from either one of them will be accepted.
You can also use the
include statement within the list. This instructs mail servers to additionally authorize servers referenced by the SPF record of another domain. It's commonly deployed to import the SPF records of the external mail delivery services you use.
Why Not to Have Multiple SPF Records?
You shouldn't have multiple SPF records because the framework simply doesn't support them. None of the records will work, and you risk all your messages being rejected by mail servers.
Moreover, multiple SPF records are a problem that can be difficult to spot. You won't be automatically alerted to them unless you specifically run an SPF record checker tool. Email delivery will silently fail on the recipient server.
Each SPF record will appear to be valid in isolation. Inexperienced administrators might not be aware that multiple SPF records are unsupported. There's nothing within DNS to stop you from using them, as TXT entries can have arbitrary values.
How to Merge Multiple SPF Records
After discovering multiple SPF records on a domain, you must merge them all together into one record. You can do this using the DNS management controls provided by your domain registrar or hosting platform.
Consider a domain that currently has two independent records:
Because there are two separate records, they'll both be ignored by mail servers. To solve this problem, you should create a new record that includes all the sources from both of the originals:
Save the merged record and then delete the two individual ones. Your SPF rules are now valid. They'll take effect next time mail servers look for your SPF configuration, after the DNS change has propagated. This typically takes less than an hour, but could be up to one to two days depending on the record's TTL and the cache lifetimes used by individual mail servers.
Once you've made your change, verify it's been effective by running an SPF record checker tool against your domain. This will retrieve your SPF records, interpret them in the same way as an email server, and flag any errors.
SPF with Multiple Includes - What You Need to Know
SPF records can use the
include statement to authorize IP addresses that are defined by another domain's SPF record. This was shown in the previous example:
There's an important rule to remember when using
include: the total number of DNS lookups made during the entire SPF check cannot be more than ten, excluding the initial request made for your domain's SPF record.
Nested SPF Records
The ten DNS lookups rule applies equally to nested SPF records. A nesting layer occurs whenever you
include a server that uses its own
include statements within its DNS record.
spf.example.com domain's SPF record could look like the following for example:
Now, when an SPF check is performed for your domain, the mail server has to process two separate
spf.example.com(written into your SPF record)
Both of these DNS lookups count against the query's tally. You must be mindful of this when you start using a new email service. If it has a long SPF chain, it could push your record over the permitted ten lookups.
Multiple Domains in SPF Records
You can add one or more domains to an SPF record using
The example above permits two different IP addresses to send as your domain:
- The IP address defined by the DNS A-record for the
- The IP address defined by the DNS MX-record for
Multiple IP Addresses In SPF Records
Similarly, you can specify multiple IP addresses in an SPF record by repeating the
ip4 (IPv4) or
ip6 (IPv6) tag for each one:
Both forms also support IP address ranges expressed with a netmask:
How to Check For Multiple SPF Records
There are two main ways to check whether you have multiple SPF records:
1. Use an Online Tool
Online SPF record checkers will scan your domain's DNS entries for you. They'll report any errors such as multiple SPF records and provide guidance on how to resolve them.
2. Inspect your domain's records using
You can run the
dig command in your terminal (on Mac or Linux) to retrieve the TXT records for your domain:
Look under the
ANSWER SECTION of the command's output. It’ll list all the TXT records set for your domain. The value of each record is shown within quotations at the end of its line. You have multiple SPF records if there's more than one value that starts with
Multiple SPF Records Have Been Found for My Domain - What Should I Do?
Don't panic! Multiple SPF records are a problem, but it's easy to fix the situation:
- Log in to your domain registrar or hosting platform, where you set your domain's DNS entries.
- Head to the DNS management page for your domain. It'll usually be labeled as "DNS Records," "DNS Entries," or a similar term.
- Navigate to the TXT-type DNS records for your domain.
- Follow the guidance above to merge your multiple SPF records into a single one.
Multiple SPF Records - Do's and Don'ts
Need a handy cheat sheet for multiple SPF records? Here's one ready for you.
- Merge multiple SPF records into a single record with multiple entries.
- Add as many entries as you need to your single record, including
- Check that your SPF records are valid using an online tool that parses them by following the same rules as mail servers.
- Set up more than one independent SPF record for your domain — it will invalidate them all.
includestatements that will result in more than ten DNS lookups during a single SPF check.
- Keep redundant IPs, domains, or
includestatements in your SPF record, as you could be unintentionally authorizing servers to send email from your domain.
SPF records are one of the three main components of modern email security. They allow mail servers to validate whether incoming messages are trustworthy based on the identity of the sending server. Servers that aren't included in your SPF record are prevented from sending emails that have your domain as their “from” address.
While you can only have one SPF record for your domain, that record can identify multiple authorized servers within its include statements. If you encounter problems with your SPF configuration, check whether you're using more than one record. Until you merge them together, none of the rules will apply.
For help with debugging your SPF rules, try Courier's SPF Record Checker tool. It'll reveal whether your domain's DNS records are correctly configured for successful SPF. Courier is a complete platform for your product communications and in-app messaging, with support for email, in-app chat, SMS, push notifications, and more. You can stop manually configuring your domains for email security and get back to building your application. Sign up today to get started with Courier, or request a demo to learn more.
Author: James Walker