Blog article

  • 8 minutes read
Author Profile Picture
  • Kiara Saloojee
  • DMARC Enthusiast

How To Merge SPF Records: A Complete Step-by-Step Guide

Digital Merging Of Files

Merge SPF records overview:

  • Publishing more than one SPF TXT record on a domain causes an immediate PermError.
  • Completing a full sender inventory before merging prevents legitimate senders from being excluded.
  • Removing stale mechanisms before publishing helps keep the record within the 10-lookup limit.
  • Removing all other SPF TXT records from the domain after publishing the merged record is essential.

A domain can only have one SPF TXT record. Publishing more than one causes an immediate authentication failure. This page explains how to merge SPF records into a single valid record – and keep it within the DNS lookup limit.

Sendmarc gives you visibility into SPF misconfigurations and centralized control over SPF records. Learn more. 

Book a demo

Why Organizations End Up with Multiple SPF Records

Most companies don’t set out to publish multiple SPF records. They accumulate over time as the sender environment grows and changes.

Each time a new email platform is added – a CRM, marketing tool, or HR system – a new SPF entry may be published as a separate TXT record instead of being added to the current one. Decentralized IT means business units publish SPF records independently, without visibility into what already exists. The result is multiple SPF TXT records on the same domain.

Acquisitions and mergers compound the problem. The acquired entity’s email infrastructure often includes its own SPF records, which may conflict with those already published on the acquiring organization’s domain.

Why Multiple SPF Records Break Authentication

RFC 7208 states that a domain shouldn’t publish more than one SPF TXT record. When multiple records exist, the receiving server gets confused. It returns a PermError – a permanent error that causes SPF to fail.

A PermError means DMARC can’t use SPF to pass authentication. DMARC requires either SPF or DKIM to pass and align – so when SPF fails, DKIM must carry the full load. If DKIM isn’t correctly configured, DMARC fails.

Duplicate records are a common cause of DMARC failures that are difficult to diagnose because the error isn’t always obvious from DMARC aggregate reports.

How To Merge SPF Records Correctly

The correct way to merge SPF records starts with a structured approach. Rushing consolidation without a complete sender inventory risks excluding legitimate senders and creating delivery failures.

  1. Complete a full sender inventory. Document every platform authorized to send email on behalf of the domain. This is the baseline for what the merged record must cover. Include marketing platforms, CRMs, HR systems, ticketing tools, and any SaaS application that sends email for your domain.
  2. List all mechanisms across existing SPF records. Extract every ip4:, ip6:, include:, a, mx, ptr, exists, and redirect mechanism from all published TXT records. Identify duplicates – any mechanism that appears in more than one existing record only needs to appear once in the merged record.
  3. Remove stale and redundant mechanisms. Any mechanism that doesn’t map to an active, authorized sender should be removed. This reduces the DNS lookup count and reduces your attack surface. Validate removals against your sender inventory before proceeding.
  4. Consolidate into a single TXT record. Combine all valid mechanisms into one SPF TXT record. The record should begin with v=spf1 and end with a single qualifier.
  5. Verify the DNS lookup count. Before publishing, confirm the merged record is under 10 DNS lookups. Count each include:, a, mx, ptr, exists, and redirect mechanism, including nested lookups.
  6. Publish, remove duplicates, and test. Publish the merged record, remove all other SPF TXT records from the domain, and validate using an SPF checker. Monitor DMARC aggregate reports for SPF pass rates in the days following the change.

Managing Lookup Limits After You Merge SPF Records

The 10 DNS lookup limit applies to recursive lookups, not just the mechanisms visible in the record itself. Nested include: chains count toward the limit.

SPF flattening resolves include: mechanisms into their underlying IP addresses, replacing DNS lookups with static entries. This reduces lookup count but requires active maintenance.

Sendmarc’s SPF Flattening automates this process, keeping the record within the lookup limit without requiring manual updates.

Every new sending platform added to the environment must be evaluated against the current lookup count before it’s authorized in the SPF record. Adding a new include: to a record already at nine lookups triggers a PermError. Maintaining a lookup budget – tracking the count – prevents this failure.

Keep Your Configuration Valid After You Merge SPF Records

SPF failures are slow to detect and harder to trace without a clear view of every sending domain.

Sendmarc’s DMARC Management Platform identifies them across all domains, flags unauthorized sending sources, and tracks SPF alignment status. SPF Flattening keeps records within the DNS lookup limit automatically, reducing the operational burden on DNS and IT teams managing complex or distributed sender environments.

After you merge SPF records, a valid record doesn’t maintain itself. Sendmarc keeps it that way as your sender environment grows.

Book a demo