The short answer is a definitive no. A domain must not have more than one SPF record. If a domain has multiple SPF records, it creates a permerror, which can cause email deliverability issues.
When a receiving mail server checks for your domain's SPF policy, it looks for a TXT record that starts with v=spf1. According to the official specification for SPF, RFC 7208, if the server finds more than one of these records, the check immediately fails and returns an error. This is not an ambiguous rule; it's a strict requirement of the SPF standard.
Why multiple SPF records cause problems
Having multiple SPF records makes it impossible for receiving email servers to know which one is the correct source of truth. Instead of trying to guess, the server will simply reject the SPF check. As WP Mail SMTP correctly points out, this can lead to your emails being rejected or sent straight to the spam folder.
This failed authentication check signals to mailbox providers like Gmail and Outlook that your domain might be spoofed. Over time, consistent SPF failures can damage your sender reputation and could even land your domain on a blacklist (also known as a blocklist), making it very difficult to reach the inbox.
How to correctly authorize multiple senders
It's very common to send email from multiple services, such as Google Workspace for your corporate mail, Mailchimp for your marketing newsletters, and Zendesk for your customer support. Each of these services will ask you to add an SPF record. The mistake is adding a new TXT record for each one.
The correct approach is to merge them into a single SPF record. You only have one v=spf1 declaration, and then you use the include: mechanism for each service you need to authorize.
Example of merging SPF records
Let's say you have the following services to authorize:
- Google Workspace: v=spf1 include:_spf.google.com ~all
- SendGrid: v=spf1 include:sendgrid.net ~all
Instead of creating two separate TXT records, you would combine them into one single string in one TXT record, like this:
v=spf1 include:_spf.google.com include:sendgrid.net ~all
Notice there is only one v=spf1 at the beginning and only one ~all (or -all) at the end. All of the include: mechanisms are placed in the middle, separated by spaces.
A quick note on the 10 DNS lookup limit
While merging records is the correct approach, you must be aware of another critical limitation: an SPF record cannot generate more than 10 DNS lookups. Each include statement in your record typically requires a DNS lookup. If your SPF record exceeds this limit, it will also result in a permerror and fail validation.
As Maileroo's help guide wisely advises, you should ensure all your include statements are necessary. Regularly auditing your SPF record to remove services you no longer use is a key part of good email hygiene.
Final thoughts
To summarize, you can absolutely not have multiple SPF records on your domain. The v=spf1 declaration is a unique marker for a single TXT record that defines your entire SPF policy. If you use multiple email sending services, you must merge their required entries into this single record. Getting this right is a fundamental step in setting up your email authentication, protecting your domain from spoofing, and ensuring your messages are delivered successfully.
