Platform
Docs
Solutions
ContactLog In

Multiple SPF Records - Everything You Need to Know

Sender Policy Framework (SPF) records are DNS entries that define the sources that can send emails as your domain. Setting up SPF records is essential because they prevent spammers from pretending to control your domain. Missing or incorrect entries will cause your outgoing emails to be rejected, because they'll appear to originate from an unauthorized source.

SPF is configured using simple TXT-type DNS records that list your authorized domains. When an email server receives a message with your domain in the "from" line, it'll retrieve the domain's SPF record to check that the sending server is included. The message won’t be delivered to the recipient’s inbox if it fails SPF authentication.

A common query around SPF is whether you can add multiple records to a single domain. This requirement arises when you have several email servers that send as the domain. The short answer is that SPF only supports one DNS record per domain, but that record can identify many different authorized sources. In this article, you’ll learn how to set this up and solve the problems surrounding multiple SPF records.

Can You Have More than One SPF Record?

No. The SPF specification is defined by RFC 7208, which explicitly forbids the setting of multiple SPF DNS records for a single domain:

A domain name must not have multiple records that would cause an authorization check to select more than one record.

An SPF record is a TXT record that targets the domain or subdomain you'll send emails as. Its value must start with v=spf1; email servers match this prefix to identify the DNS entry as your SPF record.

If you have multiple TXT DNS entries that start with this prefix, email servers will immediately stop processing their SPF checks. SPF authentication will always fail, so there will be no servers authorized to send emails as your domain. Your messages will be rejected, which can be confusing to debug.

How to Add Multiple SPF Records?

Fortunately, the SPF spec does support a mechanism that creates the same effect as multiple SPF records. The single record for your domain can identify any number of authorized servers, either by IP address or domain name.

A simple SPF record looks similar to the following:

1 TXT v=spf1 ip4=192.168.0.1 -all

This authorizes the IP address 192.168.0.1 to send as your domain. The -all at the end instructs mail servers to reject emails from sources that haven't been listed.

To authorize an additional server, simply add its entry into the list between the v=spf1 prefix and your closing all exclude:

1 TXT v=spf1 ip4=192.168.0.1 ip4=192.168.0.2 -all

Now there are two servers that can send email. Messages from either one of them will be accepted.

You can also use the include statement within the list. This instructs mail servers to additionally authorize servers referenced by the SPF record of another domain. It's commonly deployed to import the SPF records of the external mail delivery services you use.

1 TXT v=spf1 ip4=192.168.0.1 ip4=192.168.0.2 include:spf.example.com -all

Now the IP addresses 192.168.0.1, 192.168.0.2, and any others defined by the SPF record for spf.example.com can all send emails from your domain.

Why Not to Have Multiple SPF Records?

You shouldn't have multiple SPF records because the framework simply doesn't support them. None of the records will work, and you risk all your messages being rejected by mail servers.

Moreover, multiple SPF records are a problem that can be difficult to spot. You won't be automatically alerted to them unless you specifically run an SPF record checker tool. Email delivery will silently fail on the recipient server.

Each SPF record will appear to be valid in isolation. Inexperienced administrators might not be aware that multiple SPF records are unsupported. There's nothing within DNS to stop you from using them, as TXT entries can have arbitrary values.

How to Merge Multiple SPF Records

After discovering multiple SPF records on a domain, you must merge them all together into one record. You can do this using the DNS management controls provided by your domain registrar or hosting platform.

Consider a domain that currently has two independent records:

1 2 TXT v=spf1 ip4:192.168.0.1 -all TXT v=spf1 include:spf.example.com -all

Because there are two separate records, they'll both be ignored by mail servers. To solve this problem, you should create a new record that includes all the sources from both of the originals:

1 TXT v=spf1 ip4:192.168.0.1 include:spf.example.com -all

Save the merged record and then delete the two individual ones. Your SPF rules are now valid. They'll take effect next time mail servers look for your SPF configuration, after the DNS change has propagated. This typically takes less than an hour, but could be up to one to two days depending on the record's TTL and the cache lifetimes used by individual mail servers.

Once you've made your change, verify it's been effective by running an SPF record checker tool against your domain. This will retrieve your SPF records, interpret them in the same way as an email server, and flag any errors.

SPF with Multiple Includes - What You Need to Know

SPF records can use the include statement to authorize IP addresses that are defined by another domain's SPF record. This was shown in the previous example:

1 TXT v=spf1 ip4:192.168.0.1 include:spf.example.com -all

There's an important rule to remember when using include: the total number of DNS lookups made during the entire SPF check cannot be more than ten, excluding the initial request made for your domain's SPF record.

The example record is acceptable because only one include statement is used. If you tried to write eleven different include statements, your SPF record would be invalid.

Nested SPF Records

The ten DNS lookups rule applies equally to nested SPF records. A nesting layer occurs whenever you include a server that uses its own include statements within its DNS record.

The spf.example.com domain's SPF record could look like the following for example:

1 TXT v=spf1 ip4:123.456.789.123 include:email.example.com -all

Now, when an SPF check is performed for your domain, the mail server has to process two separate include statements:

  1. spf.example.com (written into your SPF record)
  2. email.example.com (included by spf.example.com)

Both of these DNS lookups count against the query's tally. You must be mindful of this when you start using a new email service. If it has a long SPF chain, it could push your record over the permitted ten lookups.

Multiple Domains in SPF Records

You can add one or more domains to an SPF record using a and mx references:

1 TXT v=spf1 a:example.com mx:mail.example.com -all

The example above permits two different IP addresses to send as your domain:

  • The IP address defined by the DNS A-record for the example.com domain.
  • The IP address defined by the DNS MX-record for mail.example.com.

Multiple IP Addresses In SPF Records

Similarly, you can specify multiple IP addresses in an SPF record by repeating the ip4 (IPv4) or ip6 (IPv6) tag for each one:

1 TXT v=spf1 ip4:192.168.0.1 ip6:2001:1:2:3:4:5:6:7 -all

Both forms also support IP address ranges expressed with a netmask:

1 TXT v=spf1 ip4:192.0.2.0/24 -all

How to Check For Multiple SPF Records

There are two main ways to check whether you have multiple SPF records:

1. Use an Online Tool

Online SPF record checkers will scan your domain's DNS entries for you. They'll report any errors such as multiple SPF records and provide guidance on how to resolve them.

2. Inspect your domain's records using dig

You can run the dig command in your terminal (on Mac or Linux) to retrieve the TXT records for your domain:

1 2 3 4 5 6 $ dig TXT example.com ... ;; ANSWER SECTION: example.com. 3600 IN TXT "v=spf1 ip4:192.168.0.1 -all" example.com. 3600 IN TXT "v=spf1 include:spf.example.com -all" ...

Look under the ANSWER SECTION of the command's output. It’ll list all the TXT records set for your domain. The value of each record is shown within quotations at the end of its line. You have multiple SPF records if there's more than one value that starts with v=spf1.

Multiple SPF Records Have Been Found for My Domain - What Should I Do?

Don't panic! Multiple SPF records are a problem, but it's easy to fix the situation:

  1. Log in to your domain registrar or hosting platform, where you set your domain's DNS entries.
  2. Head to the DNS management page for your domain. It'll usually be labeled as "DNS Records," "DNS Entries," or a similar term.
  3. Navigate to the TXT-type DNS records for your domain.
  4. Follow the guidance above to merge your multiple SPF records into a single one.

After you've merged your records, the change will automatically be respected by mail servers.

Multiple SPF Records - Do's and Don'ts

Need a handy cheat sheet for multiple SPF records? Here's one ready for you.

Do

  • Merge multiple SPF records into a single record with multiple entries.
  • Add as many entries as you need to your single record, including ip4, ip6, a, mx, and include statements.
  • Check that your SPF records are valid using an online tool that parses them by following the same rules as mail servers.

Don't

  • Set up more than one independent SPF record for your domain — it will invalidate them all.
  • Use include statements that will result in more than ten DNS lookups during a single SPF check.
  • Keep redundant IPs, domains, or include statements in your SPF record, as you could be unintentionally authorizing servers to send email from your domain.

Conclusion

SPF records are one of the three main components of modern email security. They allow mail servers to validate whether incoming messages are trustworthy based on the identity of the sending server. Servers that aren't included in your SPF record are prevented from sending emails that have your domain as their “from” address.

While you can only have one SPF record for your domain, that record can identify multiple authorized servers within its include statements. If you encounter problems with your SPF configuration, check whether you're using more than one record. Until you merge them together, none of the rules will apply.

For help with debugging your SPF rules, try Courier's SPF Record Checker tool. It'll reveal whether your domain's DNS records are correctly configured for successful SPF. Courier is a complete platform for your product communications and in-app messaging, with support for email, in-app chat, SMS, push notifications, and more. You can stop manually configuring your domains for email security and get back to building your application. Sign up today to get started with Courier, or request a demo to learn more.

Author: James Walker

View More Guides

Build your first notification in minutes

Send up to 10,000 notifications every month, for free.

Get started for free

Email & push notification

Build your first notification in minutes

Send up to 10,000 notifications every month, for free.

Get started for free

Email & push notification

Platform

Users

Content

Channels

Sending

Workflows

Preferences

Inbox

Workspaces

Observability

API Status

Changelog

© 2024 Courier. All rights reserved.