How to Set Up Multiple SPF Includes for Your Domain

• Key Takeaways

• The Single SPF Record Rule

• Managing Multiple SPF Includes

  • 1. Sender Audit

  • 2. Record Syntax

  • 3. The Lookup Limit

  • 4. Record Validation

  • 5. Ongoing Monitoring

• Consequences of Misconfiguration

• Decoding SPF Mechanisms

  • The include Mechanism

  • The a Mechanism

  • The mx Mechanism

  • The ip4/ip6 Mechanisms

• Beyond the 10-Lookup Limit

  • Manual Flattening

  • Dynamic SPF Services

  • SPF Flattening Techniques

  • Ensuring Deliverability

• A Smarter SPF Approach

• Conclusion

• Frequently Asked Questions

  • What is the single SPF record rule?

  • How can I manage multiple SPF includes?

  • What happens if I exceed the SPF 10-lookup limit?

  • Why is proper SPF configuration important?

  • What are SPF mechanisms and how do they work?

  • What should I do if I need more than 10 SPF includes?

  • Can misconfigured SPF records affect email deliverability?

Key Takeaways

• Never use multiple SPF records for the same domain!

• Periodically review all of your senders and update your SPF record accordingly.

• Learn to master the SPF mechanisms include, a, mx, and ip4/ip6 to craft a strong and flexible SPF record.

• Maintain your SPF record below the 10 DNS lookup limit with consolidated includes, manual flattening, or dynamic SPF services.

• Check and maintain your SPF record regularly with online utilities to detect problems quickly and shield your domain from abuse.

• Misconfigured SPF records can cause failed deliveries and heightened risk of spam or phishing, so move to fix problems quickly and safeguard trust in your communications.

Multiple SPF includes setup for your email means using multiple “include” entries in your SPF record to authorize various services to send on your behalf. Most companies require this when utilizing tools for marketing, support, or payroll.

Each include adds to the DNS lookup limit, so too many can break email delivery. Maintaining clean records and staying under the lookup limit prevents massive headaches.

Next, learn how to properly configure it all.

The Single SPF Record Rule

Single SPF record per domain. Not merely best practice—it’s the rule, chiseled in RFC 7208—and it’s not open for discussion. The SPF spec lays it out: a domain gets a single SPF record. Begin stacking up a couple or more and you’ll have a mess on your hands. I think PermError is the technical term, but the practical effect is even nastier—mail servers and spam filters will mark your mail as junk or reject it entirely.

If you want your emails to land in inboxes—you need one, and only one, clean SPF record.

Multiple SPF records aren't a sneaky way to jam more mail sources in. They’re a trap. Say you operate a healthcare group and your DNS host allows you to add a second SPF record for a third-party billing service. That might parse okay in the DNS dashboard, but mail servers will see two SPF records, become confused and most will bomb your SPF check.

Some servers MAY disregard them both, some might mark your domain as suspicious and others will simply ditch your emails into oblivion. Best case, your invoices don’t arrive. Worst case, your patients view your emails as spam—or not at all.

All your approved mail sources should be bundled up in that one SPF record. That is, putting all of your valid providers—Salesforce, Microsoft 365, Google Workspace, your email marketing software—in a single line. This isn’t aesthetic. It’s for management. One SPF record is the only way to be certain you’re informing the world precisely who can send mail for you.

If you’re combining old SPF records, combine them. Don’t blindly copy-paste. Check each “include”, “ip4”, and “ip6” record to ensure there’s no omission or overlap.

It’s all about formatting. There’s a 255-character limit, per SPF string. If your SPF record gets too long—perhaps because you use a few third-party services—you have to split it, not into multiple records. Use multiple strings within a single record using the include mechanism, like this: v=spf1 include:service1.com include:service2.com ~all.

Watch the total DNS lookup limit and string length, or you’ll have a different sort of error. That’s why every change or merge or update requires careful planning. Don’t anticipate immediate results. DNS changes take up to 48 hours to ripple through the internet, so update with patience.

Curious if your records are setup correctly? Check out our Email Audit Tool.

Managing Multiple SPF Includes

SPF allows you to specify who is permitted to send email on behalf of your domain. If you use more than one service—say your own mail server, a marketing platform, or helpdesk app—you use the include mechanism to append them all to your SPF record. You only get one SPF record per domain.

Having more than one will break things. Every include, a, mx and a few others count toward your 10 DNS lookup cap. Pass that, and e-mails can begin to bounce. To maintain sanity, combine legit IPs and providers into a clean SPF line.

Here’s a sample bullet list of what to track:

• Your company’s main mail server IPs

• Marketing automation platforms (e.g., Mailchimp, HubSpot)

• Transactional mailers (like SendGrid, AWS SES)

• CRM or support tools (Zendesk, Salesforce)

• Any third-party sender with permission

Maintain the list. Check it if you add, drop or swap a provider. Mind your SPF record size—255 characters per line is the hard limit. If you break it, that can kill your deliverability.

When you update DNS, it can take minutes—or up to 48 hours—to hit everyone.

1. Sender Audit

Begin with a complete audit. Enumerate all of the services, tools and servers permitted to send mail for your domain. Don’t forget the ones using your domain behind the scenes, like auto bill or appointment reminders.

Record their IP addresses and sending domains. If you use a 3rd party service, see if they provide you with an include statement or an IP. Not all providers have to be in your SPF—only the ones sending on your behalf.

Vet them each. If you haven’t used it in months, it likely doesn’t belong. Keep a running list of all senders. This allows you to update your SPF efficiently when things change, and helps you identify anomalies before they become issues.

2. Record Syntax

SPF is very strict as well. At the core, you’ll have mechanisms like ip4, a and include. Put it all together into one DNS TXT line. Qualifiers—+ for pass, – for fail, ~ for softfail, ? For neutral—establish the tone for how strict your policy is.

Always check your syntax with an SPF validator. One typo or stray space, and you’re invisible. It will detect missing qualifiers, broken includes, or a record that’s too long. Better catch it now than after your boss is asking why clients aren’t receiving your emails.

3. The Lookup Limit

They count each include as a DNS lookup. Pass 10 and your SPF record goes kaput. Design your senders you include from the beginning. Consolidate includes where possible. Some services publish an aggregate include – use that if they have one.

Watch your SPF’s DNS lookups as you add providers. If you start getting PermError messages, it’s time to trim back. Don’t just pile up includes—force yourself to question if you really need them, and combine IPs when you can.

4. Record Validation

Once you’ve updated your SPF, check it with a checker. Make sure that only the new, merged record is live. Test regularly—especially after provider changes—to stay ahead of delivery problems.

Record each inspection. Logging helps you keep track of what, when and why something changed. It’s not just good hygiene—it’ll save you when someone digs in and demands to know what happened to last month’s vanishing invoices.

5. Ongoing Monitoring

Review your SPF records once per quarter. Automated tools (like iO™ ClickSafe eMail) can catch failures. Dive into your mail logs when stuff looks wonky.

Fix issues fast, and test after each change. Stay proactive—don’t let bad SPF records kill your deliverability.

Consequences of Misconfiguration

SPF records seem easy, but little errors lead to great suffering. By adding several SPF includes and overlooking a detail, you invite an issue that won’t simply irritate your IT team—these can impact your bottom line, tarnish your brand, and stir up problems that keep entrepreneurs awake at night.

Misconfigured SPF records allow anyone to forge emails from your domain. It’s not simply spam—consider phishing, fraud and spoofed emails that appear legitimate enough to dupe even savvy workers. More than half of the world’s top domains can be spoofed. It’s not a rounding error. One strategically misguided phish could cost you money, expose sensitive information, or prompt a compliance audit that makes you regret choosing this career.

In 2023, almost $3 billion disappeared due to careless email configurations. These are not hypothetical risks. Authentication failures cause a different level of hurting. When your emails can’t demonstrate they’re authentic, mailbox providers become nervous. They begin sending your messages to the spam folder, or even more sinister, blocking them entirely.

If your business relies on email to close deals or book appointments or send invoices, every lost message is money down the drain. For B2B companies, one lost email can be worth thousands and most they’ll never even know it occurred. Deliverability tanks, ROI drops, and you’re left scratching your head wondering why your pipeline’s gone silent.

Here’s a checklist to help you spot the fallout from SPF misconfigurations:

• Increased Spam and Phishing Attacks: Fake emails get through, putting your clients and staff at risk.

• Legit Emails Marked as Spam: Deals, invoices, or urgent messages never reach the inbox.

• Lost Revenue: One blocked or missed email can kill a big deal.

• Domain Reputation Damage: Providers start to distrust your domain, making recovery slow and tough.

• Compliance Nightmares: Data breaches or fraud can lead to audits, fines, and public embarrassment.

• Multiple SPF Records: More than one SPF record? Now you’re nearly certain to cause problems, because most servers will fail both and tag everything as suspicious.

Advanced measures count. Verify your SPF record after each modification. Utilize syntax or overlap testing tools. Repair problems quickly — don’t wait for a customer or regulator to discover them.

Make SPF a living part of your security routine, not a “set it and forget it” checkbox.

Decoding SPF Mechanisms

SPF records dictate what servers can mail on your behalf. Mess it up, and your emails can bounce or become spam. Each mechanism — such as include, a, mx and ip4 — operates differently to authorize trusted senders. Intermingling mechanisms allows you to construct an SPF that supports your commercial requirements. Each decision carries a trade-off.

Remember, one SPF record per domain, anytime. If you try to add more, prepare for problems. Also, beware the 10-lookup limit, or your mail could get blocked by something so simple!

The include Mechanism

Use include to allow 3rd party services send mail for you. If your business uses Google Workspace and a marketing platform, your SPF might look like: v=spf1 a include:_spf.google.com include:mailgun.org -all.

Before you add an include, verify the domain you’re referencing (such as _spf.google.com) has a valid SPF record to begin with. If theirs is broken, your domain's SPF breaks. Every include causes a DNS lookup, so pile too many on and you’ll reach the 10-lookup threshold quickly.

This is a classic multiple vendor mistake. Check encompassed offerings a couple of times a year. If you’ve abandoned a tool, cut out the include—dead weight can cost you points.

The a Mechanism

The ‘a’ mechanism allows any server with your domain’s A record to send mail. So for example, if example.com resolved to 203.0.113.5, then any mail from that IP passes SPF.

Update your A records and ensure they only point to mail servers you manage. If you operate a website and mail from the same server, a comes in handy. If you host your site somewhere else, think again.

Combine a with other mechanisms such as include or ip4 for a multi-layered SPF. Mind your DNS changes—someone hijacking your A record could spoof your mail.

The mx Mechanism

By including mx, you mean any IP designated by your MX records can send mail. If your domain’s MX directs to your mail provider, you’re in luck.

Don’t think your MX host is good for all your email—transactional mail typically originates elsewhere. Mix mx with include / ip4 for best effect. Verify your MX records when you switch providers.

A bad MX can lead to lost mail, late mail, or wide open doors for spammers!

The ip4/ip6 Mechanisms

Use ip4 and ip6 to pin SPF to addresses. Enumerate your mail servers’ public IPs. Eliminate any IPs you don’t use anymore. Keep this list lean — less IPs, less chance.

Beyond the 10-Lookup Limit

The 10-lookup limit in SPF records is a firm limit, not a recommendation. It’s there to prevent attackers from leveraging your DNS for DOS or other shenanigans, and to reduce the strain on DNS servers. If your SPF set-up tips over ten DNS-querying mechanisms (such as multiple “include” statements), you’ll hit a wall.

The result? SPF PermError: too many DNS lookups"—your emails could bounce or land in spam, and you’ll have a deliverability headache no caffeine can fix. This cap is particularly hard for businesses with numerous third-party senders. Staying underneath it is absolutely mandatory if you want your emails to hit inboxes.

Manual Flattening

Flattening means you abandon the infinite “include” express and instead, extract all distinct IP addresses that your vendors use. You include these IPs directly in your SPF record. This reduces DNS lookups since the server doesn’t have to go on a wild goose chase after all the includes – everything is spelled out.

It seems straightforward, but it’s a pain. You have to pursue each 3rd party sender’s active IPs, copy them in, and here’s the kicker—repeat this step whenever one of those providers adds or drops an IP. Otherwise, you’ll risk breaking email delivery or exposing yourself to SPF failures when an IP changes out from under you.

Small teams can get away with a spreadsheet, but if you’re using more than a handful of services, this can become a full-time job.

Dynamic SPF Services

Some people forego the grunt work and employ dynamic SPF services. These tools automate the flattening process, do IP changes on the fly, and keep your SPF record lean and compliant. They can detect when you’re near the lookup limit and super-optimize by pruning or rotating records.

They don’t come free, but for businesses managing a plethora of cloud apps—say, marketing, billing and CRM—it’s a reasonable exchange. You have far less risk of encountering a PermError, and your IT staff can rest easy.

Even so, they’re worth watching. As with any automation, if something breaks you want to know before your e-mails start bouncing. Balance the expense and convenience against the danger and labor of DIY.

SPF Flattening Techniques

SPF flattening is essentially unfolding all domain includes into one IP list. This keeps the end record neat and quick—no more hunting down DNS records at send time. The less lookups, the more secure you are from both PermError and the 2-void lookup ceiling, which is there to prevent inadvertent denial-of-service attacks.

Here’s the rub. Flattened IPs can go stale if you’re not monitoring changes from your providers, so establish a review schedule.

Ensuring Deliverability

If you hit the lookup wall, some mail servers will wall you cold. The rest jam your emails into spam. Neither is good.

Cut unnecessary includes, audit sender lists frequently, and employ third-party tools if your headcount or complexity requires.

A Smarter SPF Approach

A smarter SPF approach is a collaborative effort, in which you collaborate with, not against, the constraints and idiosyncrasies of the SPF protocol. The tired trick of piling SPF records on a domain is a highway to mail pain—rejected messages, spam stamps, or the ultimate nightmare, a gmail that never sees your crucial messages. SPF is strict: one domain, one SPF record. Any more, and you’ve sent your messages on a one-way trip to the spam folder.

The way out isn’t more SPF records, but one damn good, well-built record that does the heavy lifting. That single SPF record needs to juggle a lot: cover all your email-sending services, stay under the 255-character limit, and keep the DNS lookups below 10. Every time you add an include: for a new service, you eat into that lookup count. Go over 10 and your SPF snaps–no heads up, just emails lost or dropped in spam.

Consider a healthcare company using Google Workspace, Salesforce, and a third-party newsletter tool. Instead of slapping on three SPF records, they build one record with three include: lines, plus the right IPs. That way, each service is protected, and your record remains slim. This becomes manageable with the appropriate tools.

There are free and paid SPF wizards that allow you to construct, test and validate your SPF record, alerting if you’re near the DNS or character limit. These tools assist in identifying errors prior to wreaking havoc. For instance, certain services allow you to paste in your SPF record and then report how many DNS lookups it provokes. If you’re near the threshold, try subdomains– e.g. Mail.example.com for one provider and news.example.com for another.

This bypasses the DNS lookup limit as each subdomain has its own SPF record. It’s not only about the records. SPF functions optimally with aligned parties. Tech, marketing and ops have to talk. If Group A introduces a new mail platform but neglects to revise the SPF, mail gets lost—sometimes silently.

Periodic audits are essential. Establish a policy to audit and update SPF records any time there’s a new vendor, platform or system change. Make SPF part of your new-tool onboarding checklist. Education is important as well. The policies and best practices change, so keep your team up.

Brief workshops or cheat sheets can really make the difference. Staying smart on SPF is like brushing teeth – neglect it, and issues accumulate quickly.

Conclusion

Managing SPF may sound like a hassle initially, but it really only requires a straightforward strategy and some determination, and a little understanding of SPF record syntax.

Just remember, stay with a single SPF record per domain, watch those lookup limits, and trim the dead weight out of your list. Or make things even easier by using tools (like iO™ ClickSafe eMail) to make SPF management easy and pain free.

Frequently Asked Questions

What is the single SPF record rule?

You can only publish one SPF record per domain. More than one SPF record leads to validation errors and breaks email authentication.

How can I manage multiple SPF includes?

Merge all needed “include” mechanisms into one SPF record. This avoids mistakes and keeps within policy limits.

What happens if I exceed the SPF 10-lookup limit?

SPF records with more than 10 DNS lookups fail auth. Emails could be rejected or spammed.

Why is proper SPF configuration important?

SPF setup makes sure emails coming from your domain are trusted. It reduces spoofing, phishing and delivery problems.

What are SPF mechanisms and how do they work?

SPF mechanisms specify which mail servers may send messages for your domain. Popular mechanisms are ip4, ip6, include and all.

What should I do if I need more than 10 SPF includes?

Flatten your SPF to cut down on DNS lookups. Flattening swaps include mechanisms for IP addresses. You can also easily leverage the iO™ ClickSafe eMail management tool to make setting up and maintaining your SPF record a cinch.

Can misconfigured SPF records affect email deliverability?

Absolutely yes! Obviously misconfigured SPF records can result in rejected or spammed mail. Be sure to check and validate your SPF record. You should also check your DKIM and DMARC settings to be sure they are correct as they can affect deliverability as well - especially with the recent DMARC requirement changes.