7-Step Guide to Merging SPF Records: Stop Email Chaos

7-Step Guide to Merging SPF Records: Stop Email Chaos

Author
Vladyslav Podoliako
Published
Mar 24, 2023
Reading duration
8 min

If you end up asking yourself, "Can I Have Multiple SPF Records on My Domain?", here's your brief answer, skipping the preamble: you can have only one SPF record per domain. Period.

Unfortunately, the inspiring adage "Be more, do more, create more" falls short when it comes to SPF records.

An astonishing 68% of domains grapple with incorrect SPF configurations, even when the intentions are good. But the issue isn't just about incorrect SPF record setup; multiple SPF records can wreak havoc on your deliverability scores and sender reputation, often before you've even identified the root of the problem.

That's where our comprehensive SPF guide comes in hand. 

We'll help you navigate the complex landscape of SPF records, offering insights on why multiple records hinder email delivery and how to safely merge multiple SPF records. 

By mastering your SPF record setup, you'll be well on your way to achieving seamless email deliverability and leaving email chaos behind.

The Article Walkthrough: 

1) Identifying multiple SPF records on your domain (using DNS lookup tools and Interpreting the DNS lookup results)
2) Consolidating "include" mechanisms
3) Combining "ip4" and "ip6" mechanisms
4) Managing "a" and "mx" mechanisms
5) Implementing the new SPF record
6) Updating your domain's DNS settings
7) Verifying the changes

How You End Up With Having Multiple SPF Records

Let's start with delving into the official source: According to the Engineering Task Force (IETF), section RFC4408, it is forbidden to have multiple records involved with the same domain name:

Image1

If you create only one record manually or with an SPF record generator, it doesn’t mean you are safe and sound.

It's not uncommon for businesses to accumulate multiple SPF records over time, especially when there are frequent changes in email service providers or third-party applications.

2 SPF RECORDS

Check these common reasons to understand the reason for ending up with multiple SPF records:

  • Lack of proper communication between IT departments and email administrators: A Multiple SPF issue isn't easy to spot unless you know where to look and when to do it. If you fail to establish proper communication between the email admins and the IT department, your campaign may suffer the consequences.
  • There are no pop-ups to watch out for whenever an SPF change comes into play: Your email administrators must notify the IT department about all the shifts and updates in the field of email service providers. Besides, running an occasional SPF check is a great way to stay clear of the dangerous waters. That is what a trustworthy SPF checker is designed for.
  • Incomplete or incorrect removal of old SPF records: Since you can't have more than one SPF record active at a time, it is critical to delete an outdated one as you create a new record. It does not matter whether you do it manually or create a new record using a user-friendly and free SPF record generator.  Should you fail to do that, the remains of the old record and the new one will start conflicting, and it will ruin your authentication efforts in a blink of an eye. 😔
  • Adding new email service providers without updating the existing SPF records: Multiple SPFs are usually the result of insufficient knowledge of how DNS records work. As you switch to a new email service provider to enhance your outreach, they will bring their own toys. Thus, as new providers implement their records, they will top existing ones.

The result is effortless to guess—your campaign will spiral down the deliverability lane since those recipient servers and spam filters aren't there to play guessing games. Your email fails to be delivered, and it returns with a PermError.

Nobody wants that to happen.

Example of Multiple SPF Records

Let's assume that a business with two email service providers sticks to a single IP address instead of exploiting multiple IPs.

Each exploited provider will introduce their separate SPFs. For instance:

Pics 1 (1)

These two different SPF records under the same domain will lead to deliverability problems despite both being aimed at sufficing proper email authentication.

What Happens When You Have Multiple SPF records (and How it Turns Into Email Chaos)

No matter how intimidating the theory sounds, it takes a practical example to showcase all the chaos multiple SPFs can bring to your campaign.

1. Failed SPF authentication and returned a Perm Error

Present-day Email Service Providers (ESPs) do everything possible to secure their users' inboxes. Thus, they put in a lot of time and effort to check whether the message comes from a trusted source. Since no ESP can read conflicting SPF records, it will deem the sending source as untrustworthy and trigger the SPF Perm Error. A permanent error signifies that the authentication's results are unreliable since the domain's published records are impossible to interpret.

2. Increased chances of email delivery failure

All the consequences of multiple SPFs intact are closely intertwined with one another. Your emails will be directed anywhere but the primary inbox as you receive a Perm Error. Thus, a delivery failure becomes a more plausible outcome than all the rest.

3. Domain reputation damage

Another highly likely turn that multiple SPFs will take would be to compromise your domain reputation. As long as your domain authentication process remains compromised, your reputation will continue to decrease. A tarnished domain reputation can further worsen email deliverability issues, potentially harming your business and customer relationships.

How To Merge SPF Records: Step-by-Step Guide

You can't have two separate SPFs under the same domain but can merge them into a single record without compromising the authentication process. 

So, how to combine SPF records without any damage to your deliverability scores? 

There are a few simple steps to take:

1) Identify Multiple SPF Records on Your Domain (Using DNS lookup tools and Interpreting the DNS lookup results)

First things first, you must identify all the SPFs connected to your domain. You can easily do so by running a quick DNS lookup check. All it takes is to provide your domain name and run an SPF record lookup.

As you detect more than one SPF record enlisted, you must eliminate all but one. 

The process may vary depending on the tool, but the 'Delete' or 'Remove' option is usually easy to spot.

Since you can't simply copy/paste one record into another, you must be ready to read and interpret the DNS lookup results. DNS lookups consist of mechanisms and modifiers such as: a, mx, include, ptr, exists, and redirect. Each and every mentioned element counts as a single lookup, and you can't have more than 10 of those added to the SPF record. Should you exceed the limit – authentication will fail.

So, let’s assume you’ve found out you have two SPFs:

v=spf1 include:example1.com -all
v=spf1 include:example2.com -all

2) Consolidating "include" mechanisms

Before you proceed with creating your SPF record (with updated text), it is best to write it out in a text editor so that you can experiment with the TXT without triggering any changes by accident. 

Luckily, the "include" mechanism allows for one domain to designate multiple administratively-independent domains. But take this important advice from Sender Policy Framework (SPF):

Image3

So, if you want to allow a third-party service to send messages from your domain, you should add the include mechanism to the record:

v=spf1 include:example1.com include:example2.com -all

3) Combining "ip4" and "ip6" mechanisms

In case you need to merge SPFs for multiple IPs, you will have to add ip4 and ip6 mechanisms to the record. As opposed to include mechanisms, they are unlimited, yet the length of your SPF record should not exceed 255 symbols, keep that in mind.

So, what would an SPF with multiple ipv4 addresses look like? Here's a good example:

v=spf1 ip4:64.233.167.99 ip4:11.8.2.5/13 ip6:1080::8:800:200C:417A -all 

This is a perfect way to legitimize any IP address sending email under your domain name. Don't forget to separate your ip4 and ip6 entries with spaces.

NB: IPs of the same class can be published with a slash not to take up unnecessary record space:

ip4:11.8.2.5/13

4) Managing "a" and "mx" mechanisms

Combining SPF records may seem intimidating as long as you are unsure as to what each mechanism stands for. Other than that, there is nothing complex about it. Assuming that you want the example1.com to send emails from your domain specifically, leaving the example2.com accounts out. If that is the case, your SPF record would be like this:

 v=spf1 a mx include:_spf.example1.com ~all

5) Implementing the new SPF record

After you've created an SPF record with multiple includes, it is time to make it work.

  • Go to your DNS settings.
  • Paste the merged SPF record in the Content field.
  • Double-check the structure.
  • Save changes.

Image2

6) Updating your domain's DNS settings

After you've updated your DNS settings, you may expect the changes to take effect immediately. However, the system sometimes takes around 48 hours to process the changes. The best thing to do would be to wait the time out.

7) Verifying the changes

Testing the changes before you launch another outreach campaign is never a waste. This is practically repeating step 1. Check your domain name with a reliable checker, and if no issues are coming up, continue with your outreach routine.

Summing Up: Saying Goodbye to Multiple Records FOREVER!

Now you see that multiple SPF records are NEVER DO IT practice in terms of email deliverability. 

However, you can have two SPF records merged into one without compromising your deliverability stats. Merge them into a single, streamlined SPF record to safeguard your reputation and elevate your deliverability rates in the blink of an eye.

Also, the trick is to timely spot the issue before multiple SPFs manifest themselves through unsatisfactory email campaign results. A regular deliverability check is precisely what you need to fight the problem, and Folderly is the most reliable partner you can find to learn how to test email deliverability (and fix it promptly) and make regular deliverability checks an integral part of your strategy, and watch your email performance soar.

Vladyslav Podoliako
Author:
Vladyslav Podoliako
Founder & CEO
Vlad is a Founder & CEO of Belkins and Folderly, a series entrepreneur and investor with over ten years of management expertise in companies with 100 million evaluation. Vlad has years of experience building and growing service companies and SaaS startups in SalesTech and MarTech. He is skilled in creating successful businesses from the ground up and building top-notch teams that drive all ventures to the top of their industries.

Also you may like

How Does a Spam Test Work?
How Does a Spam Test Work?

For many inexperienced senders, “spam” is something that comes to their inboxes. However, in the world of B2B email marketing, “spam test” means much more — and if you want to succeed, you have to research this term properly.