Can You Have Multiple SPF Records? (No — Here's Why)
You can only have one SPF record per domain. Learn what happens with multiple SPF records, how to combine services into one record, and how to stay under the 10 DNS lookup limit.
You've added an SPF record for Google Workspace. Now you're setting up Mailchimp, and their docs say to add an SPF record too. So you create a second one. Suddenly, both stop working.
This is one of the most common SPF mistakes, and it happens because the rule isn't obvious: you can only have one SPF record per domain. Not two, not three -- one.
What Happens When You Have Two SPF Records
The SPF specification (RFC 7208) is clear on this. When a receiving mail server queries your domain and finds more than one TXT record starting with v=spf1, it doesn't pick one or combine them. It returns a permerror -- a permanent error. Both records fail.
That means every email sent from your domain fails SPF authentication. It doesn't matter that each individual record is perfectly valid. Having two is the same as having none, except worse: a permerror actively hurts your reputation with mailbox providers.
A permerror from multiple SPF records affects all email from your domain -- your inbox messages, marketing campaigns, transactional emails, everything. It's not limited to the service you just added.
How to Check If You Have Duplicate Records
Before trying to fix the problem, confirm it exists. Use SPF Record Check to look up your domain. It will tell you if multiple SPF records are published and flag the conflict.
You can also check manually. Look at all the TXT records on your domain and count how many start with v=spf1. If the answer is more than one, you have a problem.
This situation usually happens when:
- A new tool or service asks you to "add" an SPF record, and you create a new one instead of updating the existing one
- Two different team members each add their own SPF record without checking what's already there
- A hosting provider or registrar auto-creates an SPF record, and you add your own on top of it
How to Combine Services Into One SPF Record
The fix is straightforward: merge everything into a single record using include mechanisms. Each third-party service gets its own include, and they all live in one TXT record.
Here's how.
Find all your existing SPF records
Look up every TXT record on your domain that starts with v=spf1. Write down the mechanisms from each one -- the include:, ip4:, ip6:, mx, and a entries.
Combine the mechanisms into one record
Start with v=spf1, list all the mechanisms from both records, and end with a single all mechanism. If one record used -all and the other used ~all, use whichever is stricter (usually -all).
Delete the extra SPF record(s)
Remove every SPF TXT record except the new combined one. This is the step people forget -- adding the merged record without deleting the originals still leaves you with multiple records.
Verify the result
Use SPF Record Check to confirm that only one SPF record exists and that it's valid.
Before and After Example
Say you have these two SPF records on your domain:
v=spf1 include:_spf.google.com -all
v=spf1 include:servers.mcsv.net -all
Both fail because there are two. The combined version is:
v=spf1 include:_spf.google.com include:servers.mcsv.net -all
One record, both services authorized, problem solved.
Keep your authentication in check
Monitor your SPF, DKIM, and DMARC records daily so merge issues and misconfigurations don't slip through.
Watch the 10 DNS Lookup Limit
Combining records is simple when you have two or three services. But as you add more, you'll run into SPF's second big constraint: the 10 DNS lookup limit.
Every include, a, mx, and redirect mechanism triggers a DNS lookup. The SPF specification caps the total at 10 lookups across your entire record chain, including any nested records your includes point to. Exceed this limit and you get another permerror -- which has the same effect as having multiple records.
The ip4 and ip6 mechanisms don't count toward the 10-lookup limit because they don't require a DNS query. If a service gives you dedicated IPs, using ip4 instead of include saves you a lookup.
Here's a rough idea of what common combinations cost:
| Combination | Estimated Lookups | Status |
|---|---|---|
| Google + SendGrid | ~5 | Safe |
| Google + Mailchimp + HubSpot | ~7 | Safe |
| Microsoft + SendGrid + Zendesk | ~6 | Safe |
| Google + Microsoft + Mailchimp + SendGrid | ~9 | Tight |
| Google + Microsoft + Salesforce + SendGrid + Zendesk | ~12 | Over limit |
If you're approaching the limit, you have a few options before things break.
Strategies for Managing Many Services
Remove What You Don't Use
Audit your SPF record at least once a quarter. Tools get added during setup and forgotten when they're retired. That include for a CRM you cancelled six months ago is still burning a DNS lookup.
Replace Includes With IP Addresses
If a service assigns you dedicated sending IPs, you can use ip4 mechanisms instead of include. This drops that service's lookup cost to zero. The trade-off is that you'll need to update your record if those IPs ever change.
Use Subdomains for Different Services
This is the cleanest long-term solution. Instead of funneling everything through your root domain, assign subdomains for different functions:
yourdomain.com-- Employee email (Google Workspace)mail.yourdomain.com-- Transactional email (SendGrid)marketing.yourdomain.com-- Marketing campaigns (Mailchimp)support.yourdomain.com-- Helpdesk (Zendesk)
Each subdomain gets its own SPF record and its own 10-lookup budget. This scales to any number of services without hitting the limit.
Subdomains and DMARC
Subdomain-based sending works well with DMARC relaxed alignment (the default). Messages sent from mail.yourdomain.com will align with a From address at yourdomain.com as long as your DMARC record uses aspf=r.
Subdomains That Don't Send Email
There's a related best practice worth mentioning. If you have subdomains that should never send email, publish an SPF record that rejects everything:
v=spf1 -all
This prevents attackers from spoofing those subdomains. It only takes a moment and closes a gap many domains leave wide open.
Complete Your Email Authentication
Fixing your SPF record is a great start, but SPF alone doesn't fully protect your domain. The three email authentication protocols -- SPF, DKIM, and DMARC -- are designed to work together.
Once your SPF record is merged and validated, set up the other two:
- DKIM adds a cryptographic signature to your outgoing emails. Use DKIM Creator to generate your keys.
- DMARC ties SPF and DKIM together and tells receiving servers what to do when a message fails authentication. Use DMARC Creator to build your policy.
With all three in place, mailbox providers can fully verify that your email is legitimate.
Related Articles
Monitor Your New SPF Record
You've created your SPF record — now make sure it keeps working. The Email Deliverability Suite watches your SPF, DKIM, DMARC, and MX records daily and alerts you when something breaks.
Never miss an SPF issue
Monitor your SPF, DKIM, DMARC and MX records daily. Get alerts when something breaks.
Start Monitoring