When troubleshooting SPF-related email rejections, I recently encountered a domain with two separate TXT records containing SPF information:
foosender.com. 14039 IN TXT "v=spf1 include:spf.foo1.com -all"
foosender.com. 14039 IN TXT "v=spf1 include:_spf.bob.foo2.com -all"
This configuration is problematic because:
- SPF validators will only evaluate the first TXT record containing SPF information
- The second record is effectively ignored, potentially missing critical authorized senders
- Each record contains
-all(hard fail), creating inconsistent policies
The Sender Policy Framework specification (RFC 7208) clearly states that when multiple SPF records exist:
"SPF clients MUST only check the first TXT record that begins with "v=spf1"
Here's what happens during evaluation:
1. DNS resolver returns all TXT records
2. SPF validator checks each record in order
3. First record starting with "v=spf1" is processed
4. Subsequent SPF records are ignored
5. If no SPF record is found, return "None" result
The domain should consolidate all SPF mechanisms into a single TXT record:
foosender.com. IN TXT "v=spf1 include:spf.foo1.com include:_spf.bob.foo2.com -all"
Key benefits of this approach:
- All authorized senders are properly accounted for
- Consistent fail policy (
-all) is applied - Prevents unpredictable behavior in SPF validators
- Reduces DNS lookup overhead
Use these commands to test your SPF setup:
# Linux/macOS
dig +short txt foosender.com | grep "v=spf1"
# Windows
nslookup -type=txt foosender.com
# Online tools
SPF Surveyor (https://www.kitterman.com/spf/validate.html)
MXToolbox SPF Checker (https://mxtoolbox.com/spf.aspx)
When testing, watch for these warning signs:
- Multiple TXT records starting with "v=spf1"
- Conflicting qualifiers (mix of
~alland-all) - Excessive DNS lookups (more than 10 total)
Beyond multiple records, these configuration errors frequently cause delivery problems:
// BAD: Too many includes (hits 10-DNS-lookup limit)
v=spf1 include:spf1.example.com include:spf2.example.com
include:spf3.example.com include:spf4.example.com
include:spf5.example.com include:spf6.example.com
include:spf7.example.com include:spf8.example.com
include:spf9.example.com include:spf10.example.com
include:spf11.example.com -all
// BAD: Conflicting mechanisms
v=spf1 a mx ip4:192.0.2.1 -all include:spf.protection.outlook.com
// BAD: No all mechanism
v=spf1 ip4:192.0.2.1 include:spf.example.com
When investigating email delivery issues, I recently encountered a domain with multiple TXT records containing separate SPF entries:
foosender.com. IN TXT "v=spf1 include:spf.foo1.com -all"
foosender.com. IN TXT "v=spf1 include:_spf.bob.foo2.com -all"This configuration violates RFC 7208 (SPF specification) which states that a domain should have exactly one SPF record. Multiple records can cause unpredictable behavior in SPF validation.
Different mail servers handle multiple SPF records differently:
- Some use the first TXT record found
- Others may combine records (which can lead to incorrect evaluation)
- Many modern servers will treat this as an invalid configuration and fail the SPF check
The proper way to include multiple mechanisms is within a single TXT record:
foosender.com. IN TXT "v=spf1 include:spf.foo1.com include:_spf.bob.foo2.com -all"Use these commands to check and update your SPF configuration:
# Check current TXT records
dig +short TXT example.com
# For DNS updates (using BIND syntax)
$ORIGIN example.com.
@ 3600 IN TXT "v=spf1 include:spf.protection.outlook.com include:_spf.google.com -all"- More than 10 DNS lookups (SPF evaluation limit)
- Using both "v=spf1" and "spf2.0" in the same record
- Missing mechanisms (ip4, ip6, include, etc.)
- Improper qualifiers (+ pass, - fail, ~ softfail, ? neutral)
Use these online tools to validate your SPF records:
- MXToolbox SPF Checker
- SPF Survey from dmarcian
- Google Admin Toolbox
For email administrators, I recommend implementing SPF along with DKIM and DMARC for complete email authentication.