SPF for Multiple Email Services: How to Combine Providers
Combine multiple email services into one SPF record. Avoid duplicate records and manage DNS lookup limits with several providers.
Last updated: 2026-04-10
Most businesses use more than one service that sends email. You might have Google Workspace for everyday email, SendGrid for transactional messages, Mailchimp for newsletters, and HubSpot for sales sequences. Each needs to be authorized in your SPF record, and combining them correctly is one of the most common challenges small businesses face. For a full overview, see our complete SPF guide.
The Golden Rule: One SPF Record Per Domain
This is the single most important thing to know about SPF: you can only have one SPF record per domain (RFC 7208 Section 3.4). Not two, not three. One.
This is where most problems start. When you set up a new email service, their documentation says "add this SPF record to your DNS." So you add it. But you already had an SPF record from your previous email provider. Now you have two SPF records, and email servers don't know which one to use.
The result? A PermError that causes SPF evaluation to fail entirely, and your emails start landing in spam or getting rejected.
Multiple SPF records break email authentication
If your domain has more than one TXT record starting with v=spf1, SPF evaluation will return a permanent error. Receiving servers will treat this as an authentication failure. Always combine your providers into a single record.
Wrong -- two separate SPF records:
v=spf1 include:_spf.google.com ~all
v=spf1 include:sendgrid.net ~all
Correct -- one combined SPF record:
v=spf1 include:_spf.google.com include:sendgrid.net ~all
How to Combine Multiple Providers
Combining multiple email services into one SPF record is straightforward. You take the include statement (or IP address) from each provider and put them all in a single record, between v=spf1 and your all mechanism.
List every service that sends email for your domain
Think beyond just your email provider. Include marketing tools, CRM platforms, support desks, transactional email services, and any web applications that send email. Common ones people forget: form notification services, e-commerce platforms, and internal tools.
Find each provider's SPF include statement
Check each service's documentation or settings page for their SPF configuration. They'll give you either an include domain (like include:sendgrid.net) or IP addresses to add.
Combine everything into one record
Start with v=spf1, add each include or IP mechanism, and end with ~all or -all.
Replace your existing SPF record
Don't add a new TXT record. Edit your existing SPF record (or delete the old one and create a new one) so there's only one record starting with v=spf1.
Verify the combined record
Use the checker tool above to confirm your record is valid and all providers are included.
Real-World Example: Four Providers
Let's walk through a realistic scenario. Your business uses:
- Google Workspace for business email
- SendGrid for transactional email (password resets, order confirmations)
- Mailchimp for email newsletters
- HubSpot for sales and marketing automation
Each provider gives you an include statement:
| Provider | SPF Include |
|---|---|
| Google Workspace | include:_spf.google.com |
| SendGrid | include:sendgrid.net |
| Mailchimp | include:servers.mcsv.net |
| HubSpot | include:spf.protection.outlook.com or the HubSpot-specific include |
Your combined SPF record looks like this:
v=spf1 include:_spf.google.com include:sendgrid.net include:servers.mcsv.net include:hubspotemail.net ~all
That's it. One record, four providers, all authorized.
The DNS Lookup Limit Problem
Here's where combining multiple providers gets tricky. SPF has a hard limit of 10 DNS lookups per evaluation. Every include, a, mx, and redirect mechanism counts as at least one lookup, and nested includes within those count too.
The problem is that each include doesn't just cost one lookup. When the receiving server processes include:_spf.google.com, it fetches Google's SPF record, which itself contains more includes, each of which counts against your limit.
With four or five providers, you can easily exceed 10 lookups. When that happens, SPF evaluation fails with a PermError, and all your email authentication breaks.
Use the checker above to see your current lookup count. For a deeper dive, read SPF 10 DNS Lookup Limit.
Strategies for Staying Under the Limit
When you're running up against 10 lookups, you have several options.
Use IP addresses instead of includes
If a provider gives you a small, stable set of IP addresses, you can use ip4 and ip6 mechanisms instead of include. These don't count as DNS lookups.
v=spf1 include:_spf.google.com ip4:198.51.100.0/24 ip4:203.0.113.0/24 ~all
The downside is that IP addresses can change. If the provider updates their sending IPs, your SPF record breaks until you update it. This approach works best for services with stable, well-documented IP ranges.
SPF flattening
SPF flattening resolves all your include statements into their underlying IP addresses, eliminating DNS lookups. The catch: if a provider changes their IPs, your flattened record breaks. Flattening requires regular monitoring. Read SPF Flattening Explained for details.
Move services to subdomains
Instead of sending everything from your root domain, configure specific services to send from subdomains. Each subdomain gets its own 10-lookup limit:
| Purpose | Domain | SPF Record |
|---|---|---|
| Business email | example.com | v=spf1 include:_spf.google.com -all |
| Marketing email | mail.example.com | v=spf1 include:sendgrid.net include:servers.mcsv.net -all |
| Transactional | notify.example.com | v=spf1 include:amazonses.com -all |
This also isolates sending reputation so a problem with marketing email doesn't affect your business email. The trade-off is complexity: you'll need separate DKIM and DMARC configurations for each subdomain.
Subdomains don't inherit SPF records
SPF records are not inherited from parent domains. If you set up mail.example.com as a sending domain, it needs its own SPF record.
Remove unused services
Before getting creative, audit your SPF record for services you no longer use. Removing old includes frees up DNS lookups for services you actually need and reduces the risk of void lookups from decommissioned services.
Adding a New Provider
When you sign up for a new email service: find your current SPF record using the checker above, get the new provider's include statement from their documentation (we have guides for Google Workspace, SendGrid, Mailchimp, and many more), add the new include: before all, check your lookup count stays at 10 or fewer, and verify the updated record.
If you need help generating a combined record, SPF Creator lets you select multiple providers and produces a single, valid record.
Monitoring Multiple Providers
The more email services you use, the more important monitoring becomes. Any provider could change their SPF configuration, and stale records break authentication. Set up DMARC reporting to get regular reports on who's sending email as your domain and whether SPF and DKIM are passing.
References
- RFC 7208: Sender Policy Framework (SPF) — The current SPF specification
- RFC 7208 Section 3.4: Record Lookup — Only one SPF record per domain
- RFC 7208 Section 4.6.4: DNS Lookup Limits — The 10 DNS lookup limit
Never miss an SPF issue
Monitor your SPF, DKIM, DMARC and MX records daily. Get alerts when something breaks.
Start Monitoring