Merging multiple SPF records into one to avoid the PermError

Having multiple SPF records for a domain results in the PermError, which indicates a fundamental problem with the configurations and violation of the SPF specifications. Moreover, multiple SPF records confuse mail servers, triggering false positives and impacting email engagement rates.

“From an engineering perspective, the 10-lookup limit is a resource protection mechanism, not a security feature,” says Adam Lundrigan, CTO of DuoCircle. “RFC 7208 caps lookups to prevent SPF evaluation from becoming a DNS amplification vector. But the practical effect is that any enterprise using more than 3-4 email services hits the wall. The fix is either flattening — which trades lookup count for record length — or macros, which delegate resolution entirely.”

“The 10-lookup limit is the single most common reason enterprise SPF records silently break,” says Brad Slavin, CEO of DuoCircle and founder of AutoSPF. “In our experience managing SPF for 2,000+ customer domains, the failure mode is always the same: a team adds a new SaaS tool, its include pushes the total past 10, and legitimate email starts failing — but nobody notices until a customer complains about missing invoices or password resets.”

Per RFC 7208, SPF evaluation is capped at 10 DNS mechanism lookups and 2 void lookups per check — exceeding either limit produces a PermError that fails authentication for every message from the domain.

SPF requires all mechanisms and qualifiers to be in one TXT record, which shouldn’t exceed the 255-character limit per TXT record string or the 512-byte UDP packet limit. If this isn’t the case with your SPF record, your domain can be vulnerable to phishing and spoofing. 

How do you check if your domain has multiple SPF records?

To know if multiple SPF records correspond to your domain, you can query the DNS records using tools or commands that retrieve TXT records.

Method 1: Using command line

1. With dig Command (Linux/macOS)

dig TXT yourdomain.com

Look for multiple entries in the output starting with v=spf1. If you see more than one, the domain has multiple SPF records.

2.With nslookup Command (Windows)

nslookup -type=TXT yourdomain.com

Check the output for multiple v=spf1 records.

3. With host Command (Linux/macOS)

host -t TXT yourdomain.com

Similar to dig, inspect the results for multiple SPF records.

Method 2: Using online tools

Tools like MXToolbox SPF Record Lookup or Kitterman can help you check a domain’s SPF records. These tools explicitly flag issues such as multiple SPF records.

Steps to merge multiple SPF records into one?

If you detect multiple SPF records for your domain, you need to merge them into one by incorporating all the mechanisms, modifiers, and qualifiers. Merging these syntax doesn’t mean copying and pasting them together in a single string. You have to ensure a proper format is followed and there are no redundancies. Even a single misconfiguration, typo, or incorrect syntax placement can invalidate your entire SPF record, jeopardizing email safety. 

A valid SPF record begins with v=spf1 and ends with -all or ~all. Some SPF records end with +all, but that’s never recommended. Using the +all mechanism completely defies the purpose of deploying SPF because it permits everyone on the internet to send emails from your domain. 

Let’s understand how to merge an SPF record using an example-

v=spf1 include:_spf.google.com ~all

There is one more SPF record found for this domain-

v=spf1 include:spf.protection.outlook.com ~all

Here’s how you have to merge them into one valid SPF TXT record–

1. Analyze existing SPF records

Take a look at your SPF record and see which all servers are allowed to send emails from your domain. Remove obsolete servers and add any missing ones to your SPF record. Doing so ensures your SPF record does not permit unauthorized servers to send emails or restrict a genuine one. 

2. Combine ‘include’ statements

Next, merge all the ‘include’ mechanisms into a single string. Separate multiple ‘includes’ with spaces. Your SPF record will appear like this-

v=spf1 include:_spf.google.com include:spf.protection.outlook.com ~all

3. Fix mechanisms that are overlapping

Overlapping mechanisms occur when the same server or range is specified in multiple records, which can lead to unnecessary redundancy or even conflicts. Compare the mechanisms (e.g., include, ip4, ip6, a, mx) in each SPF record. If the same server, IP range, or domain is listed more than once across records, it’s considered redundant. Remove duplicates while ensuring that all authorized senders are still covered. For example, if multiple records include the same IP address or domain, keep it only once in the merged record.

4. Define your SPF record

Decide which SPF mechanism you want to go for. The SPF Soft Fail mechanism is indicated by ‘~all’ and it’s used to direct the recipients’ mailboxes that emails from servers not listed in the SPF record should be treated with suspicion but not outright rejected. Meanwhile, the SPF Hard Fail mechanism is indicated by ‘-all’ and instructs the recipients’ mailboxes that such emails should be rejected. You use the latter mechanism only if you are confident in your SPF setup and want to enforce strict email security. 

Example-

v=spf1 ip4:192.168.0.1 include:_spf.google.com -all

Here, any email not from 192.168.0.1 or _spf.google.com will result in a hard fail, and the email will likely be rejected.

5. Publish the merged SPF record

Access your domain’s DNS settings and find the existing SPF record or the option to add one. Replace the old record with the merged SPF record.  

Save your changes, but remember that the updates may not immediately take effect on the Internet; they may take upto 72 hours. 

6. Verify

Once you have merged multiple SPF record entries into one, it’s time to run it through an online lookup tool. This helps you know if there are any typos, misconfigurations, incorrect placements, redundancies, etc. If any issue is detected, fix it and run the record through the lookup tool again to ensure everything is fine now.