Perform An SPF Record Check To Confirm That It Doesn’t Have Multiple SPF Records

SPF record checks and monitoring can ensure accurate and error-free SPF records.

Fix Your SPF Errors Now
EMAIL SECURITY SERVICES
PLANS AND PRICING
SPF RECORDS

Sender Policy Framework (SPF) is an open email standard that helps domain owners to authenticate their emails using SPF records and prevent spoofing and phishing attempts. Below, we explore the best practices in handling SPF records for a domain. We’ll also look at some of the common issues faced with SPF records and how to avoid them.

 

smtp outbound

Can You Have Multiple SPF Records For A Single Domain?

No, one cannot have multiple SPF records for a single domain. If the domain consists of numerous SPF records, eventually, the SPF check will fail. Once an email is received, the recipient email server checks for the presence of SPF records. On detecting an SPF record, it checks its validity. If it contains multiple records for a single domain, it returns ‘PermError’ to the sender.

 

How To Verify Whether An SPF Record Exists?

To check whether an SPF record exists or not, you can use one of the several free or paid online SPF checking tools available. Such SPF record checking tools allow you to check whether the SPF record exists and also validates it. They quickly search and find the SPF record, validate it, and display the results.

They run various tests on the SPF record for the given domain and display the output and errors found during the diagnosis. The tool provides various details regarding the SPF, such as the following:

  • Record published status
  • Record deprecated status
  • Whether Multiple records found
  • Syntax check
  • PTR checkup
  • Void lookups
  • Sender reputation

Some of the SPF record check tools perform a record checkup and present the security risks associated with the domain. One can either provide the domain name or the IP Address to check the SPF record. The output provided by such record lookup tools also includes the security check result and other parameters, as shown below.

  • Security check
  • Authorized A-records
  • Authorized MX records
  • Authorized IPV4, IPV6 addresses

Besides the above tools, one can also use the command-line utility to check SPF records instantly.

 

What To Do When You Discover Multiple SPF Records For A Domain?

Every domain should have only one SPF entry. If there are multiple SPF records for the domain, the SPF record check will fail. In such a case, one can pursue one of the following steps to resolve the issue.

When you stop using some email services, the SPF record entries may not be removed. Such records are outdated and not in use. You can quickly remove such duplicate entries for a valid SPF record check.

Suppose you have two records, and both of them are indispensable. In such a case, the option is to merge the two entries into a single record. For example, if you find that the domain contains multiple SPF records as shown below,

V=spf1 a mx include:yourdomain1.com include:spf.external.com ~all
V=spf1 a mx include:yourdomain2.com ~all

These two records can be merged into a single record, as shown below:

v=spf1 a mx include:yourdomain1.com include:yourdomain2.com include:spf.external.com ~all

Remember, when merging two records, care should be taken to ensure the record always starts with “v=spf1” and finally closes with the all tag. The opening spf1 keyword is followed by all the allowed IP addresses and tags, such as ‘include’ and ‘all.’

An important point to note while using the second fix is that merging multiple SPF records into a single one might lead to too many DNS lookups, resulting in the domain not being verified correctly. Hence, the lookup count must be maintained within limits.

 

How To Avoid Too Many DNS Lookup Errors?

Any SPF record is only allowed ten DNS lookups. It means that an SPF record cannot exceed that limit of the number of lookups. Every instance added in an SPF record like ‘include’ or ‘mx’ is treated as one DNS lookup query.

An SPF record checking tool can quickly check the number of DNS queries associated with a domain. In case there are more than ten lookups related to domains, you need to remove all entries that are not in use. Another option is to make use of subdomains.

 

How To Monitor The SPF Record And Avoid Any Syntax Errors?

While occasional validation of SPF records is essential, it is also crucial to set up continual monitoring. There are many monitoring tools available that automatically provide alerts on detecting anything specific, such as an SPF record error or the addition of multiple records. Immediate notifications to an email address will be received in such instances.

It is essential to construct an error-free SPF record for it to function correctly. As mentioned earlier, ensure the SPF record always starts with ‘v=spf1’ and closes with the ‘all’ tag. The ‘all’ tag can appear with a qualifier attached to it, like ‘~all,’ ‘-all,’ or ‘?all’.

The best way of avoiding even the slightest of SPF syntax errors is to use a robust SPF syntax validator to check your syntax for errors.

An appropriately set SPF record helps in mitigating authentication issues and preventing spoofing attacks by malicious actors. It enables domain owners to specify the IP addresses or mail servers permitted to send emails from their domain. Any problems with SPF records will make the SPF record check fail, and the email will not be authenticated. Hence, it is essential to maintain perfect SPF records.

Join the thousands of organizations that use DuoCircle

Find out how affordable it is for your organization today and be pleasantly surprised.

Auto SPF - Sign Up FREE
Interested in our Partner Program for MSPs and VARs? Visit Our MSP Partner Program.

Pin It on Pinterest