S
SPF Record Check

SPF FAQ: Frequently Asked Questions About SPF Records

Answers to common SPF questions: multiple records, propagation time, DNS lookups, combining includes, and more. Get your SPF questions answered.

Last updated: 2026-02-05

SPF configuration raises many questions, especially when you're managing multiple email services or troubleshooting deliverability issues. Here are answers to the most frequently asked questions about SPF records.

Can I Have Multiple SPF Records?

No. You can only have one SPF record per domain. Having multiple SPF records causes a PermError, and your emails will fail authentication.

If you need to authorize multiple email services, combine them into a single record:

Wrong (two separate records):

v=spf1 include:_spf.google.com ~all
v=spf1 include:sendgrid.net ~all

Correct (one combined record):

v=spf1 include:_spf.google.com include:sendgrid.net ~all

If you accidentally created multiple SPF records, delete all but one and ensure that single record contains all your authorized sources.

How Long Does SPF Record Propagation Take?

DNS changes typically propagate within 1-4 hours, though full global propagation can take up to 48 hours.

Propagation time depends on:

  • TTL (Time to Live) — Lower TTLs mean faster propagation. If your TTL is set to 24 hours, some servers may cache the old record for that long.
  • DNS provider — Some providers push changes faster than others.
  • Geographic location — Servers in different regions may see updates at different times.

Tips for faster propagation:

  1. Lower your TTL to 300 seconds (5 minutes) a day before making changes
  2. Make the change during low-email-volume hours
  3. After changes are stable, raise TTL back to normal (3600 seconds is common)

Do I Need SPF If I Don't Send Email?

Yes. Even if you don't send email from a domain, you should publish an SPF record to prevent spoofing.

Use this record to indicate no servers are authorized:

v=spf1 -all

This tells receiving servers that any email claiming to come from your domain is unauthorized. Without this record, attackers can freely spoof your domain in phishing campaigns.

How Many Includes Can I Have in SPF?

There's no specific limit on the number of include statements, but there's a 10 DNS lookup limit that indirectly constrains you.

Each include counts as at least one lookup, and many includes trigger additional nested lookups. For example:

  • include:_spf.google.com — Uses 3-4 lookups (nested includes)
  • include:sendgrid.net — Uses 1-2 lookups
  • include:spf.protection.outlook.com — Uses 2-3 lookups

In practice, most domains can include 3-5 services before approaching the limit. If you need more, see our guide on the SPF 10 DNS lookup limit for optimization strategies.

How Do I Combine Multiple SPF Records?

If you have services that each provided their own SPF record, merge them manually:

Service A provided:

v=spf1 include:serviceA.com ~all

Service B provided:

v=spf1 include:serviceB.com ~all

Combined record:

v=spf1 include:serviceA.com include:serviceB.com ~all

The rules:

  • Start with v=spf1
  • Add all include, ip4, ip6, a, mx mechanisms
  • End with one all mechanism (-all, ~all, or ?all)
  • Keep it as one TXT record

What's the Difference Between ~all and -all?

Both indicate what happens to emails from unauthorized sources:

MechanismNameMeaning
-allHard failUnauthorized emails should be rejected
~allSoft failUnauthorized emails should be treated with suspicion
?allNeutralNo recommendation about unauthorized emails

When to use each:

  • ~all (soft fail) — Use during setup, testing, or when you're not 100% sure you've listed all legitimate senders. Provides information without risking rejection of legitimate mail.

  • -all (hard fail) — Use when you're confident your SPF record is complete. Provides stronger protection against spoofing.

Most organizations start with ~all and move to -all after confirming everything works.

Does SPF Apply to Subdomains?

No. SPF records don't automatically apply to subdomains. Each subdomain needs its own SPF record.

If you send email from marketing.yourdomain.com, add an SPF record specifically for that subdomain:

marketing.yourdomain.com TXT "v=spf1 include:sendgrid.net ~all"

If a subdomain doesn't send email, protect it with:

marketing.yourdomain.com TXT "v=spf1 -all"

Why Does My SPF Record Show PermError?

PermError indicates a permanent problem that prevents SPF evaluation. Common causes:

  1. Multiple SPF records — You have more than one TXT record starting with v=spf1
  2. Too many DNS lookups — Your record exceeds 10 lookups
  3. Syntax errors — Typos or invalid mechanisms in your record
  4. Infinite loops — Circular references in includes

Check your record with the lookup tool above to identify the specific issue.

Can I Use IP Addresses Instead of Includes?

Yes. The ip4 and ip6 mechanisms let you authorize specific IP addresses:

v=spf1 ip4:192.0.2.0/24 ip6:2001:db8::/32 ~all

Advantages:

  • Doesn't count toward the 10 DNS lookup limit
  • Direct authorization without nested lookups

Disadvantages:

  • IPs can change, breaking your authentication
  • You're responsible for keeping IPs updated
  • Some services use many IPs that would make your record unwieldy

Generally, use include statements for email services (they maintain their own IP lists) and ip4/ip6 only for servers you directly control with stable IPs.

What Happens If I Exceed 10 DNS Lookups?

SPF evaluation stops and returns PermError. This is treated as an authentication failure, which can cause:

  • Emails rejected outright
  • Emails sent to spam
  • DMARC failures

See our detailed guide on the SPF 10 DNS lookup limit for solutions.

Do I Need SPF If I Have DKIM?

Yes. While DKIM provides strong authentication, SPF and DKIM serve different purposes and complement each other:

  • SPF validates the sending server
  • DKIM validates the message integrity and sender

For DMARC to work effectively, you need at least one of them. For best deliverability, configure both. See our guide on SPF, DKIM, and DMARC.

Can Email Forwarding Break SPF?

Yes. When email is forwarded, the forwarding server's IP is different from your original sending server. Since that IP isn't in your SPF record, SPF fails.

This is a known limitation of SPF. Solutions include:

  • DKIM — Signatures survive forwarding, so DKIM can still authenticate
  • ARC (Authenticated Received Chain) — Preserves authentication through forwarding chains
  • SRS (Sender Rewriting Scheme) — Rewrites the envelope sender during forwarding

Most modern email systems handle forwarding gracefully using DKIM and ARC.

How Often Should I Check My SPF Record?

At minimum, check your SPF record:

  • After adding new email services
  • After removing email services
  • Quarterly as a routine audit
  • When experiencing deliverability issues

Better yet, set up automated monitoring. Email services change their infrastructure, which can affect your lookup count even without changes on your end.

What's the Maximum Length of an SPF Record?

A single DNS TXT record string has a 255-character limit. For longer SPF records, DNS automatically splits them into multiple strings that get concatenated.

However, the total SPF record should stay under 450 characters for best compatibility with older DNS servers.

If your record is getting too long, consider:

  • Removing unused includes
  • Using SPF flattening
  • Splitting email across subdomains

Monitor Your SPF Records

Checking once is good. Monitoring continuously is better. The Email Deliverability Suite watches your SPF, DKIM, DMARC, and MX records daily and alerts you when something breaks.

Never miss an SPF issue

Monitor your SPF, DKIM, DMARC and MX records daily. Get alerts when something breaks.

Start Monitoring

Related Articles