How to Properly Configure Multiple SPF Include Domains for Email Authentication


3 views

When configuring Sender Policy Framework (SPF) records, it's common to need multiple include mechanisms for different email service providers. The basic syntax remains the same whether you're including one domain or multiple domains:

domain.com.    IN   TXT    "v=spf1 include:_spf.google.com include:otherprovider.com -all"

For your specific case with Google Apps and an additional email marketing provider, here's how the SPF record should look:

domain.com.    IN   TXT    "v=spf1 a include:_spf.google.com include:thirdparty.com -all"

When adding multiple includes:

  • The order of includes doesn't matter in terms of validation
  • Each included domain must have its own valid SPF record
  • Be aware of the DNS lookup limit (10 maximum)

After updating your DNS, verify the configuration using these tools:

nslookup -type=txt domain.com
dig txt domain.com

Or use online SPF validators to check for syntax errors.

For a company using Google Workspace, Mailchimp, and their own web server:

example.com. IN TXT "v=spf1 include:_spf.google.com include:servers.mcsv.net ip4:192.0.2.1 -all"

If you encounter problems:

  • Check for DNS propagation delays (up to 48 hours)
  • Verify no syntax errors (quotes, spaces, etc.)
  • Ensure each included domain has proper SPF records
  • Watch for exceeding the 10-DNS-lookup limit

Remember to always test email delivery after making SPF changes to avoid disruption to legitimate email flow.

The Sender Policy Framework (SPF) record is a crucial DNS TXT record that specifies which mail servers are authorized to send email on behalf of your domain. When you need to authorize multiple third-party email services, the proper syntax becomes essential.

domain.com.    IN   TXT    "v=spf1 a include:_spf.google.com -all"

This existing record authorizes:

  • Your domain's A record (via the 'a' mechanism)
  • Google's mail servers (through the include)
  • Explicitly rejects all other sources (with '-all')

To incorporate your email list management provider, you'll need to add another include statement. The correct syntax is exactly as you've proposed:

domain.com.    IN   TXT    "v=spf1 a include:_spf.google.com include:otherdomain.com -all"

When modifying SPF records:

  • DNS lookups in SPF records are limited to 10 (including nested lookups)
  • Total DNS queries must complete within 10 seconds
  • The entire SPF string must be less than 255 characters
  • For long records, split into multiple strings (each <255 chars) and concatenate in DNS

Here's a more comprehensive example that includes additional common email services:

domain.com.    IN   TXT    "v=spf1 a mx include:_spf.google.com include:servers.mcsv.net include:spf.protection.outlook.com -all"

This configuration authorizes:

  1. Your domain's A record
  2. Your MX records
  3. Google Workspace
  4. MailChimp (mcsv.net)
  5. Microsoft 365 (protection.outlook.com)

After implementing changes:

dig TXT domain.com +short

Use online SPF validators to check your record's syntax and lookup count.

  • Don't exceed the 10 DNS lookup limit
  • Always maintain the '-all' fail mechanism unless testing
  • Ensure all included domains have valid SPF records
  • Avoid using 'ptr' mechanisms (deprecated and insecure)