Multiple SPF Records

What This Check Does

The Multiple SPF Records check verifies that your domain root has exactly one TXT record containing "v=spf1". According to the SPF specification (RFC 7208), a domain must not have more than one SPF record. If multiple SPF records are found, this check fails.

DNS Spy queries all TXT records for your domain root and counts how many begin with 'v=spf1'. More than one triggers a failure.

Why It Matters

Having multiple SPF records is a surprisingly common misconfiguration that can completely break your email authentication. Per RFC 7208, when a receiving mail server finds more than one SPF record, it must return a PermError — meaning SPF validation fails entirely. This can cause your legitimate emails to be rejected or marked as spam.

This often happens when administrators add a new SPF record without removing the old one, or when multiple services are configured independently. The fix is to merge all SPF directives into a single record.

NIST SP 800-81, Section 6, covers email security best practices including proper SPF configuration. DNS Spy helps you catch this common mistake before it impacts email delivery.

NIST SP 800-81 Compliance

Section 6 of the NIST Secure DNS Deployment Guide emphasizes correct email authentication configuration. Multiple SPF records violate both the SPF RFC and NIST best practices. DNS Spy's monitoring ensures you maintain a single, valid SPF record as required for compliance.

Good vs. Bad Configuration

Bad Configuration

example.com has two TXT records: "v=spf1 include:_spf.google.com ~all" and "v=spf1 include:sendgrid.net ~all". This causes SPF PermError for all email authentication checks.

Good Configuration

example.com has a single TXT record: "v=spf1 include:_spf.google.com include:sendgrid.net ~all". All authorized senders are consolidated in one SPF record.

How DNS Spy Monitors This

DNS Spy queries all TXT records for your domain root during each monitoring cycle and counts SPF records. If more than one SPF record is detected, an alert is triggered immediately. DNS Spy also tracks record changes, so you are notified if a new SPF record is accidentally added alongside an existing one.