Having multiple SPF records for a domain results in the PermError, which indicates a fundamental problem with the configurations and violation of the SPF specifications. Moreover, multiple SPF records confuse mail servers, triggering false positives and impacting email engagement rates.
SPF requires all mechanisms and qualifiers to be in one TXT record, which shouldn’t exceed the 255-character limit per TXT record string or the 512-byte UDP packet limit. If this isn’t the case with your SPF record, your domain can be vulnerable to phishing and spoofing.
How do you check if your domain has multiple SPF records?
To know if multiple SPF records correspond to your domain, you can query the DNS records using tools or commands that retrieve TXT records.
Method 1: Using command line
1. With dig Command (Linux/macOS)
dig TXT yourdomain.com
Look for multiple entries in the output starting with v=spf1. If you see more than one, the domain has multiple SPF records.
2.With nslookup Command (Windows)
nslookup -type=TXT yourdomain.com
Check the output for multiple v=spf1 records.
3. With host Command (Linux/macOS)
host -t TXT yourdomain.com
Similar to dig, inspect the results for multiple SPF records.
Method 2: Using online tools
Tools like MXToolbox SPF Record Lookup or Kitterman can help you check a domain’s SPF records. These tools explicitly flag issues such as multiple SPF records.
Steps to merge multiple SPF records into one?
If you detect multiple SPF records for your domain, you need to merge them into one by incorporating all the mechanisms, modifiers, and qualifiers. Merging these syntax doesn’t mean copying and pasting them together in a single string. You have to ensure a proper format is followed and there are no redundancies. Even a single misconfiguration, typo, or incorrect syntax placement can invalidate your entire SPF record, jeopardizing email safety.
A valid SPF record begins with v=spf1 and ends with -all or ~all. Some SPF records end with +all, but that’s never recommended. Using the +all mechanism completely defies the purpose of deploying SPF because it permits everyone on the internet to send emails from your domain.
Let’s understand how to merge an SPF record using an example-
v=spf1 include:_spf.google.com ~all
There is one more SPF record found for this domain-
v=spf1 include:spf.protection.outlook.com ~all
Here’s how you have to merge them into one valid SPF TXT record–
1. Analyze existing SPF records
Take a look at your SPF record and see which all servers are allowed to send emails from your domain. Remove obsolete servers and add any missing ones to your SPF record. Doing so ensures your SPF record does not permit unauthorized servers to send emails or restrict a genuine one.
2. Combine ‘include’ statements
Next, merge all the ‘include’ mechanisms into a single string. Separate multiple ‘includes’ with spaces. Your SPF record will appear like this-
v=spf1 include:_spf.google.com include:spf.protection.outlook.com ~all
3. Fix mechanisms that are overlapping
Overlapping mechanisms occur when the same server or range is specified in multiple records, which can lead to unnecessary redundancy or even conflicts. Compare the mechanisms (e.g., include, ip4, ip6, a, mx) in each SPF record. If the same server, IP range, or domain is listed more than once across records, it’s considered redundant. Remove duplicates while ensuring that all authorized senders are still covered. For example, if multiple records include the same IP address or domain, keep it only once in the merged record.
4. Define your SPF record
Decide which SPF mechanism you want to go for. The SPF Soft Fail mechanism is indicated by ‘~all’ and it’s used to direct the recipients’ mailboxes that emails from servers not listed in the SPF record should be treated with suspicion but not outright rejected. Meanwhile, the SPF Hard Fail mechanism is indicated by ‘-all’ and instructs the recipients’ mailboxes that such emails should be rejected. You use the latter mechanism only if you are confident in your SPF setup and want to enforce strict email security.
Example-
v=spf1 ip4:192.168.0.1 include:_spf.google.com -all
Here, any email not from 192.168.0.1 or _spf.google.com will result in a hard fail, and the email will likely be rejected.
5. Publish the merged SPF record
Access your domain’s DNS settings and find the existing SPF record or the option to add one. Replace the old record with the merged SPF record.
Save your changes, but remember that the updates may not immediately take effect on the Internet; they may take upto 72 hours.
6. Verify
Once you have merged multiple SPF record entries into one, it’s time to run it through an online lookup tool. This helps you know if there are any typos, misconfigurations, incorrect placements, redundancies, etc. If any issue is detected, fix it and run the record through the lookup tool again to ensure everything is fine now.