Suped

How do I set up an SPF record when using multiple email sending services?

Summary

Setting up SPF records when utilizing multiple email sending services for a single domain requires careful consolidation. The fundamental principle is that a domain should only have one SPF record (a single TXT record starting with v=spf1). Having multiple SPF records can lead to an SPF PermError, which can negatively impact email deliverability. Instead, all legitimate sending sources must be combined into this single record using mechanisms like include to reference the SPF records of each service.

Suped DMARC monitor
Free forever, no credit card required
Get started for free
Trusted by teams securing millions of inboxes
Company logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logo

What email marketers say

Email marketers often navigate the complexities of SPF records with multiple sending services by focusing on practical outcomes and troubleshooting. Many encounter initial confusion regarding SPF record syntax and the specific domains that need to be authorized. Their experiences highlight the importance of testing and understanding the Return-Path to ensure proper configuration for all sending sources.

Marketer view

Email marketer from Email Geeks highlights a common point of confusion for those starting out with SPF records, specifically asking whether their own domain needs to be explicitly added to the record when using external services like Google, Amazon SES, and Helpscout. They also inquire about the necessity of including IP addresses if those services are already referenced by include statements.

03 Sep 2023 - Email Geeks

Marketer view

Email marketer from Spiceworks Community shares that their company utilizes a hybrid email environment, combining on-premises Exchange with Office 365, and they want to ensure their SPF record correctly authorizes both sending sources. They are seeking best practices to avoid deliverability issues when consolidating these different email systems under one domain.

15 Feb 2024 - Spiceworks Community

What the experts say

Experts emphasize the critical distinction between the MAIL FROM (envelope sender or Return-Path) address and the From header (display address) when configuring SPF. They strongly advise inspecting email headers to determine which domain SPF authentication truly applies to. Furthermore, they highlight that traditional mx and a mechanisms might be unnecessary or even detrimental if not directly sending from your own mail server.

Expert view

Expert from Email Geeks clarified that SPF records primarily validate the IP address associated with the domain specified in the envelope from address, not the visible From header. They further explained that mx and a mechanisms in an SPF record permit the IPs of the domain's MX and A records, respectively.

03 Sep 2023 - Email Geeks

Expert view

Expert from Word to the Wise (Laura) advises that SPF should be published for the domain found in the Return-Path line of an email's headers. This is the crucial domain for SPF authentication, and understanding its source for each sending service is key to proper configuration.

10 Apr 2024 - wordtothewise.com

What the documentation says

Official documentation and RFCs clearly stipulate the rules for SPF record creation, especially concerning multiple sending services. They emphasize the singular nature of an SPF record per domain and the proper use of the include mechanism to consolidate all authorized senders. These sources also highlight the importance of the DNS lookup limit and the specific role of the MAIL FROM domain in SPF validation.

Technical article

RFC 7208 states that a domain name must not have more than one SPF record. If a domain name has multiple SPF records, SPF validation results in a PermError. This fundamental rule prevents ambiguity and ensures consistent policy evaluation.

Apr 2014 - RFC 7208

Technical article

Microsoft Learn documentation indicates that SPF authentication relies on the MAIL FROM address, also known as the P1 sender or envelope sender. It advises that the SPF record must include all IP addresses that send email on behalf of your domain to prevent messages from being marked as spam or rejected.

20 Feb 2024 - Microsoft Learn

6 resources

Start improving your email deliverability today

Get started