Multiple SPF Records on One Domain: How to Merge Them

What This Error Means

A domain must have exactly one SPF record. If your domain publishes two or more TXT records starting with v=spf1, all SPF evaluation fails with a PermError — every email, every recipient, no exceptions. RFC 7208 Section 3.2 is explicit:

A domain name MUST NOT have multiple records that would cause an authorization check to select more than one record.

The one-sentence fix: identify every TXT record starting with v=spf1, merge them into a single record, and delete the extras.

This is one of the most common SPF misconfigurations, and it is completely invisible unless you check. Most DNS management panels accept a second SPF record without warning.

Why It Matters

When a receiving mail server finds multiple SPF records, it does not pick one or merge them. It returns a PermError, which means:

• SPF authentication fails for every email sent from your domain
• DMARC fails for SPF alignment (DKIM can still save DMARC if configured)
• Your domain reputation degrades with every failed authentication

This is worse than having no SPF record at all. A PermError is an explicit failure rather than a neutral result — receiving servers treat it as a stronger negative signal.

How This Happens

Multiple SPF records appear in one of these scenarios:

Adding a New Service Without Checking

An admin adds a new email service (e.g., Mailchimp) and follows the provider's setup guide, which says "add this SPF TXT record." They create a new TXT record instead of modifying the existing one:

# Record 1 (original):
v=spf1 include:_spf.google.com ~all

# Record 2 (newly added — this creates the problem):
v=spf1 include:servers.mcsv.net ~all

Multiple Teams Managing DNS

In larger organizations, different teams (IT, marketing, development) independently add SPF records for their services without coordinating. Each team follows its provider's instructions correctly — the mistake is that nobody checks what already exists.

DNS Migration

When migrating between DNS providers, SPF records from the old provider get duplicated, or both old and new records persist during the transition.

Domain Registrar Auto-Configuration

Some registrars auto-create SPF records when you enable email features, not realizing you already have one.

How to Check

Quick Check

Use the mxio SPF Checker on your domain. If multiple SPF records exist, the tool flags this immediately as a critical error.

Manual Check

Use the mxio TXT Lookup to see all TXT records on your domain. Look for multiple records starting with v=spf1. You should see exactly one.

How to Fix It

Step 1: Identify All SPF Records

List every TXT record on your domain that starts with v=spf1. Note the include:, ip4:, ip6:, and other mechanisms in each.

Step 2: Merge Into a Single Record

Combine all mechanisms from both records into one. The format is:

v=spf1 [mechanism1] [mechanism2] [mechanism3] ... [qualifier]all

Before (broken — two records):

v=spf1 include:_spf.google.com ~all
v=spf1 include:servers.mcsv.net ~all

After (correct — one merged record):

v=spf1 include:_spf.google.com include:servers.mcsv.net ~all

Step 3: Handle the all Mechanism

When merging, use the strictest all qualifier from either record:

In most cases, ~all is appropriate. See SPF ~all vs -all for guidance on choosing between softfail and hardfail.

Step 4: Check the Lookup Limit

After merging, count your total DNS lookups. Each include:, a:, mx:, redirect=, and exists: mechanism counts as a lookup (including nested lookups). The maximum is 10 per RFC 7208.

If your merged record exceeds 10 lookups, see Fix SPF PermError: Too Many DNS Lookups for solutions — or use mxio's Managed SPF to flatten your record automatically.

Step 5: Update DNS

1. Delete all existing SPF TXT records from your DNS
2. Add the single, merged SPF TXT record
3. Wait for DNS propagation (usually a few minutes, up to the TTL of the old records)

Step 6: Verify

Run the mxio SPF Checker again to confirm:

• Only one SPF record exists
• The record is syntactically valid
• All your sending services are included
• The lookup count is within limits

Merge Examples

Google Workspace + Mailchimp + SendGrid

v=spf1 include:_spf.google.com include:servers.mcsv.net include:sendgrid.net ~all

Microsoft 365 + Amazon SES + Salesforce

v=spf1 include:spf.protection.outlook.com include:amazonses.com include:_spf.salesforce.com ~all

Google Workspace + Microsoft 365 (migration)

If you are actively migrating between providers, temporarily include both:

v=spf1 include:_spf.google.com include:spf.protection.outlook.com ~all

Remove the old provider's include once migration is complete.

For domains with complex SPF setups involving many third-party services, mxio's Managed SPF keeps your record optimized automatically — no manual merges, no lookup limit surprises. See our SPF flattening guide for how it works.

Prevention and Ongoing Monitoring

• Document your SPF record — Maintain a list of every service authorized to send email for your domain
• Communicate across teams — Ensure anyone who modifies DNS knows to edit the existing SPF record rather than add a new one
• Monitor your DNS — Set up domain health monitoring to catch duplicate SPF records the moment they appear, before they affect deliverability
• Audit after DNS changes — Run the mxio SPF Checker after every DNS modification

Related Issues

• SPF PermError: Too Many Lookups — Merged records may exceed the lookup limit
• SPF ~all vs -all — Choosing the right enforcement level
• Why Is DMARC Failing? — Multiple SPF records cause DMARC failures
• Emails Going to Spam — SPF errors are a top cause of spam filtering
• SPF Flattening Explained — How SPF flattening solves lookup limit problems