Critical SeveritySPF

Fix: Multiple SPF Records Found

Your domain has more than one TXT record starting with "v=spf1". RFC 7208 requires exactly one SPF record per domain. Multiple records cause a PermError, meaning SPF authentication fails for all emails.

Quick Fix

Merge all SPF records into a single TXT record.

What This Error Means

DNS returned two or more TXT records containing "v=spf1" for your domain. The SPF specification explicitly states that a domain must have no more than one SPF record. When multiple are found, the result is a PermError — a permanent failure that cannot be retried.

Why It Matters

A PermError means every email sent from your domain fails SPF. This is worse than having no SPF record at all (which would just return "none"). Failed SPF weakens DMARC alignment and increases the probability of emails being marked as spam or rejected.

Step-by-Step Fix

List all SPF TXT records on your domain

Query your domain for all TXT records and identify every one that starts with v=spf1.

Example

dig +short TXT yourdomain.com | grep "v=spf1"
# Example output showing the problem:
# "v=spf1 include:_spf.google.com ~all"
# "v=spf1 include:sendgrid.net ~all"

Combine all mechanisms into one record

Take all the mechanisms from each SPF record and merge them into a single record. Keep only one "all" qualifier at the end.

Before

Record 1: v=spf1 include:_spf.google.com ~all
Record 2: v=spf1 include:sendgrid.net ~all

After

v=spf1 include:_spf.google.com include:sendgrid.net -all

Delete the extra SPF records from DNS

In your DNS management console, remove all but the single merged SPF TXT record. Be careful not to delete non-SPF TXT records (like DKIM or domain verification records).

Verify the fix

Confirm only one SPF record exists and it parses correctly.

Example

dig +short TXT yourdomain.com | grep "v=spf1"
# Should return exactly one line:
# "v=spf1 include:_spf.google.com include:sendgrid.net -all"

Common Gotchas

This often happens when a new email service tells you to "add an SPF record" and you create a new one instead of updating the existing one.
Some DNS providers show TXT records differently. Make sure you are looking at the raw TXT records, not a filtered view.
After merging, check that the combined record does not exceed the 10 DNS lookup limit.

Verify Your Fix

After making changes, use our free scanner to verify the fix is working correctly. DNS changes can take up to 48 hours to propagate, but most propagate within minutes.

Frequently Asked Questions

Why can't I have two SPF records?

The SPF specification (RFC 7208) mandates exactly one SPF record per domain. Multiple records create ambiguity — a receiver doesn't know which one to evaluate. Instead of guessing, the spec says to return a PermError.

What if I need SPF for multiple email services?

Use a single SPF record with multiple "include" mechanisms. For example: v=spf1 include:_spf.google.com include:sendgrid.net include:amazonses.com -all

How did I end up with multiple SPF records?

This usually happens when setting up a new email service. The provider's instructions say "add this SPF record" and you create a new TXT record instead of updating the existing one. Always edit your existing SPF record to add new includes.