This is one of the most common email authentication mistakes, and it almost always happens when a developer follows a setup guide without checking whether an SPF record already exists.
You add Mailchimp, follow their DNS setup instructions, and add the SPF record they specify. Six months later you set up SendGrid, follow their guide, and add another SPF record. Now you have two TXT records starting with v=spf1 at your domain root and SPF is completely broken.
Why two records break everything
RFC 7208 (the SPF specification) is explicit: a domain must not publish more than one SPF record. When a receiving server queries your domain and gets two records back, it returns a PermError.
PermError is not a soft failure. It means SPF evaluation cannot be completed and the result is treated as a hard failure by most providers. Both records could contain perfectly valid entries and it would not matter. Two records equals PermError equals broken SPF.
How to check if you have this problem
dig TXT yourdomain.com | grep spf
If you see two lines starting with v=spf1, you have a problem. You can also run a check at InboxGreen which flags this specifically in its results.
The fix: merge into one record
Take every include:, ip4:, and ip6: mechanism from both records and combine them into a single record.
Before:
v=spf1 include:_spf.google.com ~all
v=spf1 include:sendgrid.net ~all
After:
v=spf1 include:_spf.google.com include:sendgrid.net ~all
Edit the first record with the merged value. Delete the second record entirely. Order does not matter.
Verify the fix
dig TXT yourdomain.com | grep spf
You should see exactly one result. Run a full check at InboxGreen to confirm the PermError is gone.
For the full guide with steps for Cloudflare, Namecheap, and GoDaddy: Multiple SPF records: fix guide
Top comments (0)