Can you have multiple SPF records on a single domain? The answer is no: a domain MUST NOT have multiple SPF records, otherwise SPF fails with PermError.

An SPF record is a TXT record in the DNS starting exactly with "v=spf1", followed by an array of mechanisms and/or modifiers.

An SPF check starts by fetching all TXT records starting exactly with "v=spf1" on a domain:

• if no such record is found, it returns None;
• if multiple such records are found, it returns PermError.

For example, if you have 2 TXT records on yourdomain.com:

Record Type	Name	Value	TTL
TXT	yourdomain.com	v=spf1 include:_spf.google.com -all	Default
TXT	yourdomain.com	v=spf1 include:servers.mcsv.net -all	Default

All emails sent on behalf of yourdomain.com will fail SPF authentication with PermError.

In order to fix this, you need to add all the mechanisms that contain legitimate IP addresses in 1 SPF record, as shown below:

Record Type	Name	Value	TTL
TXT	yourdomain.com	v=spf1 include:_spf.google.com include:servers.mcsv.net -all	Default

For SPF authentication to pass, all these conditions must be met:

• you have exactly 1 SPF record on your domain;
• the record's syntax is correct;
• the total number of DNS lookups can't exceed 10. Otherwise, use Safe SPF to fix it.

Use Safe SPF to fix the SPF PermError: Too Many DNS Lookups issue.

Monitoring SPF records

Now that the validity of SPF settings is crucial to SPF authentication success, you might want to receive alerts when an SPF setting is messed up, so that you can take action to fix it as soon as possible.

DMARCLY's domain monitoring feature allows you to do exactly that. In order to monitor your domain:

1. log in to the dashboard;
2. go to DNS Records => Domains, add your domain;
3. go to Reporting and Alerts => DNS Alerts, create a recipient with your email.

From now on, if multiple SPF records are found on your domain, you will get an email notification that looks like below. Nice!

Related question: Can I Have Multiple DMARC Records on My Domain?

Original post