What happens when multiple SPF records exist on a domain?

Still have a question, spotted an error, or have a better explanation or a source we should cite?

Two SPF records on the same domain is an instant permerror. Receivers don't try to merge them. They don't pick the stricter one. They fail SPF outright, and your authentication stops passing until you fix it.

This happens more often than you'd think. Different teams add their own record when they start using a new service, nobody checks what's already published, and suddenly there are two.

Why receivers permerror instead of picking one

The SPF spec (RFC 7208) is explicit: if a domain publishes multiple records starting with v=spf1, the result is permerror. The designers didn't want receivers guessing which record the sender "really meant." Guessing creates security holes. So receivers refuse, and the sender finds out the hard way.

What this breaks for you

  • SPF fails for everyone. Even legitimate senders on your list get dinged.
  • DMARC can't align on SPF. You lose one of the two alignment paths DMARC relies on, and if DKIM is also shaky, DMARC fails too.
  • Reputation takes a quiet hit. Gmail, Outlook, and Yahoo weight authentication heavily. Permerror shows up as "this sender can't get their record right."

How to find and fix it

Paste your domain into our SPF checker. If you have two records, it'll flag both of them with the exact text published at your DNS. That's the fastest way to see the problem.

To fix it:

  1. Copy the mechanisms from both records. Every include:, ip4:, ip6:, a, mx from each record.
  2. Dedupe them. Drop anything that appears in both.
  3. Merge into a single record. One v=spf1 at the start, all mechanisms in the middle, one "all" qualifier at the end (usually -all).
  4. Publish the new record. Delete the two old ones at DNS.
  5. Recheck. Give DNS a few minutes to propagate, then run the checker again.

How to keep it from happening again

Pick one owner for the SPF record (usually IT or deliverability). Any new service that wants to send on your behalf goes through them and gets added to the existing record, not a new one. It's a 30-second habit that prevents a very expensive mistake.

If you're staring at two records and can't tell which mechanisms belong where, the SOS hotline is free.

Contributors

Who worked on this answer

Every name links to their profile. Every company links to their site. Real people, real accountability.

Ask an AI · tailored to your setup

Merge My SPF Records Safely

I just read the Email Almanac entry on multiple SPF records. Help me check whether my domain has this problem and, if it does, walk through merging the records safely. Walk me through: 1. Whether my domain currently publishes more than one v=spf1 record 2. How to extract every legitimate sender from both 3. How to build a single consolidated record without exceeding 10 lookups 4. How to verify after the fix that receivers now see exactly one record --- My details (fill in what applies): - Sending domain: your domain - Have I confirmed multiple records exist: yes / no / unsure - SPF records I can see (paste if you have them): paste - Active sending providers I need to keep: ESPs, CRMs, Google Workspace, etc. - Who manages DNS: me, IT team, external provider, unsure

Edit the yellow boxes, then send to the AI of your choice.