Two SPF records on one domain breaks SPF: how to merge them
· spf · email · dns · deliverability · permerror
spfemaildnsdeliverabilitypermerrorRFC 7208 permits exactly one SPF record per domain: a single TXT record whose value starts with v=spf1. If a receiver finds two, it does not pick one or merge them — it returns a permerror, and SPF fails entirely for every message you send. The fix is to merge both records into a single v=spf1 record with one trailing all qualifier.
Why two records is fatal, not additive
People assume DNS will "add up" two SPF records the way it stacks multiple A records. SPF does not work that way. Section 4.5 of RFC 7208 is explicit: a domain that publishes more than one record starting with v=spf1 is a misconfiguration, and the verifier must return permerror.
A permerror is a hard processing failure, not a soft one like ~all (softfail). Most receivers treat it as no SPF pass at all, which leaves DMARC one less mechanism to align on and makes your mail more likely to be quarantined or rejected.
How you end up with two
The usual story: you already have an SPF record for your primary mail, then you onboard a second sender — a marketing platform or a transactional ESP. The provider's setup guide says "add this TXT record," so you create a brand-new record instead of editing the existing one. Now both exist:
example.com. TXT "v=spf1 include:_spf.google.com ~all"
example.com. TXT "v=spf1 include:sendgrid.net ~all"
Both are valid on their own. Together they are a permerror.
Merge into one record
Combine every include:, ip4:, and ip6: mechanism from both records into a single v=spf1 string, then end with exactly one all qualifier. The two records above become:
example.com. TXT "v=spf1 include:_spf.google.com include:sendgrid.net ~all"
Rules when merging:
- Keep only one
v=spf1at the start and oneallat the very end. - Drop duplicate mechanisms. Order is irrelevant, but
allmust be last. - Pick the strictest
allyou can stand behind —~all(softfail) during rollout,-all(hardfail) once you trust your inventory.
Confirm with one lookup
After you flatten to a single record, check that only one comes back:
dig +short TXT example.com | grep v=spf1
Exactly one line should match. If you still see two, you edited one record and left the duplicate behind — a common slip when records live in different DNS panels (registrar vs. proxy).
Watch the 10-lookup limit
Merging two include:-heavy records frequently pushes you past SPF's other hard ceiling: a maximum of 10 DNS lookups during evaluation. Each include:, a, mx, ptr, and redirect counts. Two providers' includes combined can blow that budget and produce a different permerror. If you are near the cap, consider flattening include: chains to ip4:/ip6: ranges — see the lookup-limit post below.
Check your domain for duplicate SPF records →
Further reading
- The SPF 10-lookup limit
- Email deliverability checklist: SPF, DKIM, and DMARC in order
- RFC 7208 — Sender Policy Framework (SPF), section 4.5