How to Add Multiple SPF Records (And Why You Shouldn't)

Quick Navigation
Can You Have Two SPF Records?
Quick Answer: No, a single domain cannot have more than one SPF TXT record. According to RFC 7208, if a mail server encounters multiple SPF records, it returns an "SPF PermError," which typically causes your emails to be rejected or sent straight to the spam folder.
In the evolving landscape of 2026 email security, maintaining a pristine DNS configuration is non-negotiable. Many administrators mistakenly believe that adding a second TXT record for a new service—like moving from Google Workspace to Microsoft 365 or adding a third-party marketing tool—is the correct procedure. However, the v=spf1 syntax error that results from this redundant SPF records approach is a leading cause of global email delivery failure.
When a receiving Mail Transfer Agent (MTA) queries your DNS, it looks for the string starting with v=spf1. If it finds two, it loses the "authority" to decide which one is valid. This leads to a total SPF lookup failure. To ensure your mail remains authenticated, you must maintain a single, consolidated entry that encompasses all authorized IP addresses and third-party includes.
Always check SPF record syntax before pushing changes to your live DNS. In 2025, industry data suggested that nearly 15% of all "Email Bounce Back" issues were directly tied to multiple SPF records existing on a single root domain.
Common Errors When Merging Records
While merging is the solution, it is fraught with technical pitfalls. One of the most frequent mistakes is the "Double Version" error, where the v=spf1 tag appears twice within a single string. This is just as invalid as having two separate records. Another critical issue is exceeding the 10-lookup limit.
Each include:, a, mx, and ptr mechanism triggers a DNS query. If your merged record exceeds ten of these, you will trigger an SPF record check error. In recent 2026 security audits, "Lookup Bloat" has become more common as companies stack too many SaaS platforms (Salesforce, Zendesk, Mailchimp) into a single record without using SPF flattening techniques.
If you have
v=spf1 include:_spf.google.com ~all and v=spf1 include:spf.protection.outlook.com ~all, simply placing them one after another in your DNS management console will break your email authentication for both services.How to Combine Multiple v=spf1 Records
Quick Answer: To combine SPF records, start with the 'v=spf1' prefix, list all authorized mechanisms (IPs and includes) in the middle, and end with a single enforcement tag (like ~all). Never include the version prefix more than once.
The process of consolidation requires a clean SPF record syntax reference to avoid typos. Let’s look at a practical example:
v=spf1 include:_spf.google.com ~all
v=spf1 ip4:192.168.1.1 ~all
# Correct (Combined Record)
v=spf1 include:_spf.google.com ip4:192.168.1.1 ~all
When combining, you must also be mindful of the "All" mechanism. Most modern setups use ~all (SoftFail) or -all (Fail). You cannot have both. Ensure that the most restrictive policy that aligns with your DMARC strategy is placed at the very end of the record.
According to RFC 7208, the evaluation of the SPF record stops at the first match. Strategic ordering—placing your most frequent sending IPs or includes at the beginning—can slightly improve processing efficiency for receiving servers.
First-Person Narrative: How ToolCheckers Saved My Deployment
A few months ago, I was managing a migration for a mid-sized e-commerce client. They were integrating a new CRM while simultaneously transitioning their helpdesk to a different provider. In the rush of the deployment, a junior admin added three separate TXT records for SPF, thinking they were cumulative.
Within an hour, the client’s support tickets exploded. Transactional emails were bouncing, and their email bounce back rate hit 40%. I spent twenty minutes manually parsing DNS strings until I remembered the SPF Checker at ToolCheckers.com.
I plugged in their domain, and the tool immediately flagged a "Multiple SPF Records Detected" error in bright red. It didn't just tell me it was broken; it visually broke down every included mechanism, showing me exactly where the invalid SPF configuration lived. I was able to use the tool's output to generate a single, clean consolidated record. What could have been a 4-hour troubleshooting session was resolved in exactly 90 seconds.
Advanced SPF Management FAQ
1. What is the maximum character limit for an SPF TXT record?
A single TXT record string can have up to 255 characters. However, you can use "string concatenation" to exceed this limit (up to 2048 characters total), provided your DNS provider supports it. Always aim for brevity to avoid lookup errors.
2. Does the order of mechanisms in a merged record matter?
Yes. Mechanisms are evaluated from left to right. It is best practice to place high-volume sending IPs (ip4/ip6) first, as they don't require DNS lookups, followed by 'include' statements.
3. Can I use a CNAME for an SPF record?
Technically, the SPF mechanism 'include' can point to a domain with a CNAME, but the root SPF record itself must be a TXT record. Using CNAMEs for the primary SPF entry is a violation of standards and will cause resolution failures.
4. Why does SPF PermError happen even if I only have one record?
This usually happens due to a syntax error (like a missing space), exceeding the 10 DNS lookup limit, or having nested includes that eventually point back to more than one SPF record.
5. How do I handle the 10-lookup limit when merging multiple services?
Use "SPF Flattening." This process replaces 'include' mechanisms with their underlying IP addresses. This reduces DNS queries but requires regular monitoring as third-party providers change their IPs.
6. Is 'ptr' still a valid mechanism for SPF records?
The 'ptr' mechanism is highly discouraged and deprecated in RFC 7208. It is slow, unreliable, and many modern spam filters ignore it or penalize records that use it.
7. What happens if I use ~all and -all in the same record?
This creates a syntax error. A domain's SPF record should conclude with exactly one "all" mechanism. Including both makes the record ambiguous and invalid.
8. How do subdomains inherit SPF records?
They don't. SPF records do not automatically flow from the root domain to subdomains. If you send mail from marketing.example.com, that specific subdomain must have its own SPF record.
For more information on DNS health, visit reputable sources like ICANN, IETF, or the official documentation at Microsoft Learn.

Ramal Jayaratne
Lead Developer & System ArchitectLead Developer at ToolCheckers, specializing in Python, Django, and System Architecture. With over a decade of experience, Ramal is dedicated to building transparent, high-performance developer tools.