DIAGNOSTIC ERROR
Multiple SPF Records & SPF PermError
RFC 7208 strictly requires exactly one SPF record per domain and limits DNS lookups to 10.
Emails currently bouncing? Jump straight to our free diagnostic tool to see if your domain is violating the 10-lookup limit, or read below to learn how to fix it.
Free Email Diagnostic ScannerThe Problem
"Multiple SPF Records" is the single most common validation failure that causes an SPF PermError. Receiving mail servers immediately drop your emails if your domain returns more than one TXT record starting with v=spf1, or if processing your record exceeds the strict 10-lookup limit imposed by RFC 7208.
The Physics of the SPF PermError
When you set up a new service (like Mailchimp, QuickBooks, or a new CRM), their documentation often says "Add this TXT record to your DNS." What they really mean is "Add our specific mechanism to your existing SPF record."
Mistakenly creating a brand new TXT record specifically for that service directly violates the internet standard defining SPF (RFC 7208, section 4.5). If multiple SPF records exist, the evaluation stops and returns a "PermError". The receiving server does not try to combine them; it simply throws out both records and fails the check entirely.
The 10-Lookup Limit Constraint
Even if you have only one SPF record, you can still trigger an SPF PermError by exceeding the allowed maximum of 10 recursive DNS lookups. Every time your SPF record calls an include, a, mx, or ptr mechanism, the mail server must perform additional DNS queries.
Example of Lookup Accumulation:
Consider this perfectly valid-looking SPF record:
include:_spf.google.comrequires 4 lookups.include:spf.protection.outlook.comrequires 2 lookups.include:servers.mcsv.net(Mailchimp) requires 3 lookups.
If you add just one more service requiring 2 lookups, your total becomes 11. Since 11 > 10, this triggers a fatal SPF PermError and your emails will be rejected by major providers.
The Solution: Merging Instructions
To recover deliverability, you must merge all of your separate SPF records into a single, cohesive TXT record. Here are the steps:
- Identify all existing SPF records: Look for all TXT records in your DNS starting with
v=spf1. - Combine the mechanisms: Take the unique
include:,ip4:, andamechanisms from the secondary records and copy them into your primary record. - Enforce the layout: The combined record must begin with
v=spf1, contain the merged list of mechanisms, and end with a single-allor~alldirective. - Delete the duplicates: Remove the other individual
v=spf1TXT records from your DNS so only your newly combined record remains. - Check your lookup count: Ensure that the sum of the nested queries within your combined
include,a, andmxstatements does not exceed 10.
Example of Merged Record:
Alternative Strategy: Use a Subdomain
If your combined services exceed the 10-lookup limit, or if you simply want to isolate your email reputation, the best practice is to send marketing or transactional emails from a dedicated subdomain (for example, notify.yourdomain.com or marketing.yourdomain.com).
Because SPF limits are evaluated per domain/subdomain natively, creating a subdomain gives you a fresh 10-lookup limit and a separate TXT record for those specific services. Services like Mailchimp and SendGrid highly recommend this approach because it keeps your root domain clean and limits the blast radius if a third-party service's IP reputation is compromised.
Related Email Authentication Issues
Get Expert Help Consolidating Your DNS
Struggling to safely flatten your DNS records? One wrong move can take your entire company's email offline. Let our digital identity experts fix your SPF, DKIM, and DMARC for a flat rate of $250.
