Can a domain name have multiple SPF records? (with how to merge them guide)
Sometimes, you may have an additional email provider that is different from your primary domain name registrar that you want to send your custom domain emails from.
An example of this would be when you want to create a custom email address from your domain using Zoho.
In that case, you would have an SPF record provided by Zoho service in addition to the SPF record you have from the provider you registered your domain name from.
The SPF record is an essential DNS record that you must have to ensure email deliverability for the emails that are sent through your custom domain email.
Now you may be wondering whether you can add these different SPF records as multiple SPF DNS records.
Well,
A domain name cannot have multiple SPF records in its DNS record configuration.
According to the RFC guidelines, a domain name can only have a single SPF record to adhere to the SPF specification standard, avoid any potential compatibility issues with SPF-checking systems, and ensure reliable email authentication and deliverability.
Therefore, you cannot be able to more than one TXT DNS record type in your domain name DNS configuration holding unique SPF record values.
However, that does not mean that you cannot configure your SPF record to be used to verify both your domain name registrar email server and the Zoho mail server.
You can actually!
The solution to verifying multiple email servers to deliver your emails from is to merge your SPF records into one single SPF record that you can add to your domain DNS records list.
This is done using the include mechanism.
The include mechanism allows us to refer to other domain’s SPF record allowing its authorized servers to send email on behalf of your domain name.
So, for our case, we will use the include mechanisms to allow emails to be sent from Zoho servers and your domain registrar servers.
Here’s the example configuration that will we dwell into it later:
v=spf1 include:hostingprovider.com include:zoho.com -all
We are going to look at SPF record mechanisms later in this section.
First, we will look at what an SPF DNS record is, the elements included in a single SPF record, and how to merge multiple SPF records into one DNS record.
Finally, we will look at how to add your newly created SPF DNS record as a TXT DNS record type on Cloudflare.
Let’s dive right in!
What is an SPF DNS record?
An SPF (Sender Policy Framework) record is a DNS record, usually TXT DNS record type, that is used to specify the mail servers allowed to send any emails on behalf of a domain name.
So, if you have a domain name with a particular domain registrar that offers mail serving allowing you to create your own custom domain email such as [email protected], you will need to have an SPF record for emails to be sent from that server.
Here’s how it works:
You purchase a domain name and web hosting from a provider like Namecheap.
You can get yourself affordable domain name + hosting bundle at discounted prices using this link.
You create a custom domain email such as [email protected].
You log in to your custom domain email, usually using your cPanel dashboard.
You compose a new message to send to your friend who uses a @gmail.com email.
When you hit send, the mail server of your hosting provider, which in this case is Namecheap.com, will send the email to the recipient.
The receiving mail server, gmail.com, will check if the SPF record exists or is valid.
If the receiving mail server finds the SPF record, it uses it to verify that the email is coming from the authorized mail server.
If the sending mail server, from namecheap.com matches one of the authorized mail servers for your domain name, it accepts the message.
Your friend is able to receive your message.
However, if the mail server the email is coming from does not match the SPF record or does not exist in the SPF record, then the email will be rejected.
That’s basically how SPF records work.
Now, let’s look at the syntax of an SPF record while explaining the different components that you will need to merge the multiple SPF records that you have.
What is the syntax of an SPF record?
The syntax of a valid SPF record consists of various components that include the mechanism, qualifier, and modifier, which dictate the email authentication policy for a particular domain name.
In general, the syntax of an SPF record looks like this:
v=spf1 mechanism qualifier modifier all
SPF DNS records have the following elements in their syntax:
- SPF mechanisms
- SPF qualifiers
- SPF modifiers
So a typical valid SPF record should look like this:
v=spf1 a mx ip4:192.0.2.1 include:_spf.example.com -all
Here’s the breakdown of the syntax:
- “v=spf1”: This is the required version identifier, indicating the SPF version in use. For SPF version 1, it should always be set to “v=spf1.”
- Mechanisms: Mechanisms specify which mail servers or IP addresses are authorized to send email for the domain. Common mechanisms include “a” (A record), “mx” (MX record), “include” (include SPF record), “ip4” (IPv4 address), “ip6” (IPv6 address), “ptr” (reverse DNS), and more.
- Qualifiers: Qualifiers define the result of an SPF check for a specific mechanism. They appear immediately after the mechanism and indicate how the receiving mail server should interpret the SPF result. Common qualifiers include “+” (Pass), “-” (Fail), “~” (SoftFail), and “?” (Neutral).
- Modifiers: Modifiers are optional components in an SPF record that can adjust the default behavior or control how the SPF check should be processed. Examples of modifiers include “redirect” (redirect SPF processing) and “exp” (provide an explanation for SPF failures).
- “-all” (or other actions): The “-all” mechanism is called the “all” mechanism and represents the default action if none of the previous mechanisms match. It specifies what to do if no authorized servers are found. Common actions are “-all” (Hard Fail, reject the email) and “~all” (Soft Fail, accept but mark as failed).
Let’s look at each component while building a valid SPF record.
So we start with the version identifier.
Open your favorite text editor or MS Word, create a new .txt file, and add the following version identifier line.
v=spf1
Next, we declare the mechanism for our SPF record.
What is a mechanism in the SPF DNS record?
Mechanisms are the main component of an SPF record defining the mail servers or IP addresses that will handle sending of emails for a particular domain.
Examples of mechanisms used in SPF records
Examples of mechanisms used in an SPF record are:
- “a” (A record): Allows the domain’s A record (IPv4 address) to send an email. Example:
v=spf1 a -all
- “mx” (MX record): Allows the domain’s MX record (mail exchanger) to send an email. Example:
v=spf1 mx -all
- “include” (Include SPF record): Refers to another domain’s SPF record, allowing its authorized servers to send email on behalf of this domain. Example:
v=spf1 include:spf.example.com -all
- “ip4” (IPv4 address): Specifies an IPv4 address or a range of addresses authorized to send email. Example:
v=spf1 ip4:192.0.2.1/24 -all
- “ip6” (IPv6 address): Specifies an IPv6 address or a range of addresses authorized to send email. Example:
v=spf1 ip6:2001:db8::/32 -all
In this case, let’s use the a and mx mechanisms to be used when sending an email for our SPF record example.
So, add this to your SPF record file:
v=spf1 a mx
Because we define the “a” and “mx” mechanisms here, we do not need to reenter the IP address for our mail server here.
The A and MX DNS record types that are defined for your domain will be used here.
However, you can also add another specific A record that can be in the format of an IPV4 or IPV6 address.
So, for an IPV4 address, you will have to use the ip4 mechanism:
v=spf1 a mx ip4:192.4.2.1
For an IPV6 address, you will need the ip6 mechanism. You add it like this:
v=spf1 a mx ip4:192.4.2.1 ip6:2001:0db8:85a3:0000:0000:8a2e:0370:7334
Next, we need a qualifier.
What are SPF qualifiers?
Qualifiers in a domain SPF record dictate what happens after the SPF check is completed for a given mechanism.
Qualifiers dictate how the receiving mail server should treat the email from the result of the SPF check.
Example qualifiers used in SPF records
- “+” Pass: The mechanism’s result is a “pass,” meaning the server is authorized to send email. Example:
+
- “-” Fail: The mechanism’s result is a “fail,” meaning the server is not authorized to send email. Example:
-
- “~” SoftFail: The mechanism’s result is a “soft fail,” meaning the server is not authorized, but the email should be accepted but marked as potentially suspicious. Example:
~
- “?” Neutral: The mechanism’s result is “neutral,” meaning no explicit authorization or rejection. Example:
?
Continuing our SPF record example, let’s add a pass action to allow the email server from our hosting provider to be authorized to send emails.
So,
v=spf1 a mx +
In the SPF record above, we have authorized the mail server that has the same IPV4 address as that of the domain’s A DNS record type to send emails.
If you have a shared hosting account, you should use a soft fail due to the shared hosting environment.
v=spf1 a mx ~
Now, that we have the main domain name provider’s mail server, namecheap.com, configured to send emails.
How about if we want to use another mail service such as Zoho to send emails on behalf of our domain name?
Zoho service will also provide its own SPF record for its mail servers to be authorized to send emails on behalf of our domain name.
In that case, we cannot create two SPF records.
The solution?
Merge our existing SPF record to have the ‘include’ component that allows an SPF check for the Zoho mail servers.
In short, we use an additional include
mechanism.
The include mechanism is used for referring another domain’s SPF record as part of the current SPF record. Thus, it allows effective authorization of more than two mail servers to send an email on behalf of the current domain name.
So, your domain name provider’s mail servers and that of Zoho can send emails on behalf of your domain name.
For our SPF record example, we add the following to include Zoho mail servers as one of the authorized servers for our domain:
v=spf1 a mx include:zoho.com ~
By using the “include” mechanism, you can easily combine the email authorization rules from multiple domains and allow them to send emails for your domain without creating separate SPF records.
Finally, for our SPF record, we can include an optional component called the modifier.
What are SPF Modifiers?
SPF modifiers in an SPF record are used to define the default behavior of how an SPF check should be performed.
Modifiers used in SPF records are
- “all” Mechanism: The “all” mechanism represents the default action if none of the previous mechanisms match. It specifies what to do if no authorized servers are found. Example:
v=spf1 a mx -all
will result in a hard fail if the SPF check fails. - “redirect” (Redirect SPF processing): Redirects SPF processing to another domain’s SPF record. Example:
v=spf1 redirect=spf.example.com
- “exp” (Explanation): Provides a human-readable explanation of why the SPF check failed in the “Received-SPF” header of the email. Example:
v=spf1 a mx -exp=example.com
Let me explain a lit bit further with ther “all” mechanism example.
Let’s say the SPF check fails in this scenario.
- SPF Check Fails: When an email is received by the destination mail server, it checks the SPF record of the sending domain (e.g., “YourDomain.com” with the SPF record
v=spf1 a mx -all
).- SPF Mechanisms Evaluated: The mail server evaluates each SPF mechanism from left to right. It checks if the IP address of the sending mail server matches any of the mechanisms.
- No Match Found: In the given example (
v=spf1 a mx -all
), if none of the sending mail servers’ IP addresses match the “a” (A record) or “mx” (MX record) mechanisms, it means no authorized mail servers were found.- “-all” Policy: Since no authorized mail servers were found, and the SPF record ends with the “-all” mechanism, the receiving mail server enforces a strict policy. The “-all” mechanism means “fail” or “hard fail,” indicating that the email should be rejected.
- Email Rejection: As a result, the email fails SPF authentication, and the receiving mail server will likely reject the email. The email may be marked as “Failed SPF” or maybe put into the recipient’s spam folder, depending on the mail server’s configuration.
So, it’s essential to carefully configure your SPF record to include all the authorized mail servers or IP addresses that are allowed to send email for your domain.
If you omit any legitimate sources from the SPF record, it may lead to SPF failures, resulting in email delivery issues.
And that’s how SPF records basically work.
To recap
Can you have two SPF records on the same domain?
You cannot have two SPF records on the same domain name DNS configuration.
What happens if I have too many SPF records?
If you have too many SPF records for a single domain name, you will experience email deliverability issues where none of your emails from your custom domain emails are delivered to the recipient.
Here’s what happens when you have more than one SPF record for one domain name:
- SPF checks will usually lead to SPF PermError or “SPF permanent Error” errors. These errors result from the receiving mail server’s attempts to perform SPF authentication but encountering conflicting or overlapping SPF records.
- Consistent SPF authentication errors will usually impact your email delivery. Emails may be rejected, marked as spam, or discarded by the receiving mail server.
To avoid these issues and guarantee high email deliverability:
- Use a single SPF record for each domain name. You should not have multiple TXT DNS record types holding different SPF record values.
- Merge multiple SPF records when you have SPF records from more than one mail server by using the “include” mechanism.
Here’s how you merge two SPF records into one single SPF DNS record.
How to merge two or more SPF records into one SPF DNS record
You use the ‘include’ mechanism to create a single SPF record that authorizes multiple mail servers to send emails for a particular domain name.
To merge two or more SPF records into a single SPF record, follow these steps:
Step 1: Identify the existing SPF records from your mail-serving hosts
As an example, let’s use Namecheap as the main hosting provider that lets us create unique mail addresses using the cPanel dashboard.
But also, we want to use the Zoho mail service.
So, now we have the SPF record that Namecheap wants us to use:
v=spf1 a mx ~all
And we have the SPF record that Zoho mail service provides:
v=spf1 include:zoho.com -all
The task is to merge these records into one.
Step 2: Identify the SPF mechanisms used for each SPF record
Check the mechanisms that each SPF record is using and extract them into a new file or line. SPF mechanisms come right after the SPF version declaration, v=spf1 as we saw earlier.
So, extract any of the a
(A record), mx
(MX record), include
(include SPF record from another domain), ip4
(IPV4 address), and ip6
(IPV6 address) mechanisms used in each of your SPF records.
So for our Namecheap and Zoho SPF examples, we extract a and mx mechanisms from the Namecheap SPF record and include mechanisms from Zoho.
So we have:
a mx include:zoho.com
Step 3: Determine your SPF policy or use the one provided by your hosting provider by default
Decide on the SPF policy you want to enforce for your domain. For example, you may want to reject emails from unauthorized sources (“-all”) or accept but mark them as potentially suspicious (“~all”).
Especially when you are using a shared hosting service, you can use the soft fail SPF policy.
For our example, we add the SPF policy to the list of mechanisms we identified from each SPF record.
So,
a mx include:zoho.com ~all
Step 4: Create a merged SPF record
From the mechanisms we have identified, create a single SPF record by adding the SPF version declaration.
So, our final SPF record should look like this:
v=spf1 a mx include:zoho.com ~all
Step 5: Update your DNS settings and Test by sending an email
Access your domain DNS management interface and access the DNS tab where you edit the DNS records for your domain.
You can check this article I have written on how to add SPF and TXT records on Cloudflare.
Remove any existing SPF records and add your new SPF record as a TXT DNS record type.
After that, test email deliverability and SPF authentication to ensure that emails from both Namecheap and Zoho are correctly authorized.
And that’s how you merge SPF records.
Is there a limit of 10 SPF DNS lookups?
There is a limit of 10 SPF DNS lookups when evaluating an SPF record of a domain name. The receiving mail server can only perform 10 DNS queries to perform a complete email authentication process.
That includes the mechanisms such as the “include” and the modifier such as “redirect” lookups.
Exceeding this limit will usually result in SPF failures such as PermError and will affect email delivery.
Having a limit to the number of SPF DNS queries helps:
- Enhance Deliverability: By imposing a limit on SPF DNS lookups, receiving mail servers can process SPF checks more efficiently.
- Protect Against Denial of Service Attacks: Denial of Service (DoS) attacks can overload servers with excessive DNS lookups, causing service disruption.
Best practices when using SPF records
- Create and confirm that you have valid SPF records.
- Remove unnecessary include statements in your domain name DNS’ SPF record.
- Use ipv4 or ipv6 mechanisms and remove references to invalid domains
- Don’t use ptr mechanisms as they have been deprecated
- Know your SPF record character limit and avoid creating an SPF record that is longer than 255 characters as specified by the RFC code.
- Don’t exceed 10 DNS lookups for an SPF authentication process.
- Use TXT DNS records to register your SPF DNS record instead of the SPF DNS record type that has been deprecated.
- Keep it simple and short as possible. Avoid adding too many authorized servers.
- Don’t forget to add DKIM and DMARC records
FAQs
Does SPF record allow IP addresses?
SPF records allow the inclusion of IP addresses pointing to main servers. The ip4 mechanism is used for adding an IPV4 address while the ip6 mechanism is used for adding an IPV6 address. With that, the mail server from the IP address specified in either ip4 or ip6 mechanism is authorized to send emails on behalf o the domain name.
What is the longest SPF record?
The longest SPF record is 255 characters in length.
However, if you are getting the “SPF Exceeds Maximum Character Limit” error, it means that you have exceeded the 255-character limit for a single SPF record string.
A solution is to flatten the SPF record by dividing the SPF record into multiple strings, removing “ptr” mechanisms, and removing unnecessary mechanisms such as “include” statements.
… and that’s it!
If you have any questions about SPF records, let me know in the comments.
See ya!