How should I combine SPF records and what domain should I use with SendinBlue?
Michael Ko
Co-founder & CEO, Suped
Published 26 Jun 2025
Updated 17 Aug 2025
7 min read
Managing email authentication can feel like navigating a complex maze, especially when you're using multiple email sending services. A common hurdle I see businesses face is handling their SPF records, particularly when integrating a new service like SendinBlue (now Brevo).
The core issue often revolves around combining SPF records and selecting the right domain for your sending needs. Having multiple SPF records for the same domain is a critical mistake that leads to validation failures and can severely impact your email deliverability. Understanding how to properly consolidate these records and strategically choose your sending domain is crucial for ensuring your emails reach the inbox.
This article will clarify how to correctly combine your SPF records and guide you on the best practices for using your domain with SendinBlue (Brevo) to maintain strong sender reputation and optimal inbox placement.
One of the most frequent mistakes in SPF configuration is publishing multiple SPF records for a single domain. The SPF specification clearly states that a domain must have only one SPF TXT record. If multiple records are present, the receiving mail server will encounter a "PermError" (Permanent Error) during SPF validation, leading to your emails likely landing in the spam folder or being rejected outright.
SPF (Sender Policy Framework) works by authenticating the "Envelope From" domain, which is also known as the return-path or bounce domain. This is often different from the visible "Header From" address that recipients see in their email client. For example, when you send through an Email Service Provider (ESP) like SendinBlue, they typically use a subdomain or their own domain as the Envelope From, with an SPF record published there.
To correctly accommodate all your email sending sources, you must merge all necessary SPF mechanisms into a single TXT record. This involves listing all authorized sending IP addresses and third-party services within that one record. A key mechanism for this is include, which references the SPF records of other domains or services. Remember that multiple SPF records for a single domain are not allowed, always merge them.
The single SPF record rule
You must only have one SPF record per domain. If you have two separate v=spf1 TXT records for your domain, email providers will interpret this as an error. This can lead to significant deliverability issues, as SPF authentication will fail, often resulting in messages being marked as spam or rejected.
Combining SPF records effectively
To combine SPF records, you take all the mechanisms from each record and consolidate them into one. The general structure of an SPF record begins with v=spf1 and ends with a qualifier like ~all (SoftFail) or -all (HardFail). In between, you list all authorized sources.
For example, if you have an existing SPF record for Google Workspace and need to add SendinBlue, you would merge them into one:
You might also encounter a and mx mechanisms in your SPF record. The a mechanism authorizes the IP address of your domain's A record, while mx authorizes the IP addresses of your domain's MX records. If you are not sending email directly from your web server or the same system that accepts mail for your domain, you can often safely remove a and mx to reduce DNS lookups. For more detailed guidance on handling multiple services, see how to set up SPF when using multiple email services.
Using subdomains for email sending with SendinBlue
When setting up SendinBlue (Brevo) or any ESP, I highly recommend using a subdomain for your marketing or transactional emails, rather than your root domain. For example, instead of yourdomain.com, consider mail.yourdomain.com or em.yourdomain.com. This approach separates the sender reputation of your marketing emails from your primary domain, which is crucial for protecting your core business communication.
In SendinBlue (Brevo), navigate to Senders & IPs and then the domains tab. Here, you'll add your chosen subdomain. While you can technically add your root domain, using a subdomain is a best practice for email deliverability. The SPF record you create or modify will then be for this specific subdomain.
The recipient will still see your primary email address (e.g., info@yourdomain.com) as the "From" address. The SPF authentication, however, occurs against the Envelope From domain (your subdomain), which is hidden from the recipient's view. SendinBlue (Brevo) will provide you with the exact SPF record (an include statement like include:spf.sendinblue.com) to add to your subdomain's DNS records. For more on this, you can review Brevo's official guide on merging SPF records.
Using your main domain
Risk of reputation damage: Any issues with marketing emails, such as high spam complaints or bounces, directly impact the deliverability of your core corporate emails.
Complex SPF management: Combining numerous email sources into one root domain SPF record increases the risk of exceeding the 10-DNS lookup limit.
Limited flexibility: Changes to one email service might unexpectedly affect others using the same root domain.
Using a subdomain (recommended)
Reputation isolation: Marketing or bulk email issues are contained to the subdomain, protecting your main domain's reputation for critical communications.
Simplified SPF: SPF records for subdomains are generally simpler, reducing the chance of exceeding the SPF DNS lookup limit.
Greater control: You can fine-tune authentication protocols for different email streams. To learn more about setting up SPF for subdomains, read about whether a subdomain needs its own SPF record.
Verifying your SPF configuration
After you've combined your SPF records and decided on your sending domain (preferably a subdomain) for SendinBlue (Brevo), the next crucial step is to verify your configuration. Even a small typo can lead to SPF authentication failures, causing your emails to be blocked or sent to spam.
You can use an SPF survey tool to check your domain's SPF record. These tools will scan your DNS and report any issues, such as multiple SPF records, syntax errors, or exceeding the 10-DNS lookup limit. Remember, the goal is to have a single, correctly formatted SPF record that includes all your authorized senders.
Regularly monitoring your email deliverability is key. Tools like DMARC monitoring services provide valuable insights into your SPF and DKIM authentication results, helping you quickly identify and address any issues. Correct SPF setup is fundamental to a robust email authentication strategy, working in conjunction with DKIM and DMARC to protect your domain from spoofing and ensure legitimate emails reach their intended recipients.
Mechanism
Description
Example
v=spf1
Indicates the SPF version (always v=spf1).
v=spf1
a
Authorizes the IP address of the domain's A record.
a
mx
Authorizes the IP addresses of the domain's MX records.
mx
include
References another domain's SPF record.
include:_spf.google.com
ip4
Authorizes a specific IPv4 address or range.
ip4:192.0.2.1
-all
HardFail: Any server not explicitly listed is unauthorized.
-all
~all
SoftFail: Servers not listed may or may not be authorized.
~all
Key takeaways for SPF and SendinBlue
Properly combining SPF records and selecting the right domain strategy for services like SendinBlue (Brevo) is fundamental to email deliverability. The core takeaway is to always maintain a single SPF record per domain, merging all authorized sending sources using the include mechanism.
Using a subdomain for your marketing or bulk emails (e.g., em.yourdomain.com) with SendinBlue (Brevo) provides a crucial layer of reputation isolation, safeguarding your primary domain from potential deliverability issues. Always verify your DNS changes with an SPF checker to ensure everything is configured correctly and your emails can consistently reach the inbox.
Views from the trenches
Best practices
Always consolidate all SPF mechanisms into one single TXT record for your domain to prevent PermErrors.
Utilize subdomains for different email sending purposes, especially for marketing emails through ESPs like SendinBlue (Brevo), to isolate sender reputation.
Regularly check your SPF records using online tools to ensure correct syntax and prevent exceeding the 10-DNS lookup limit.
Common pitfalls
Having multiple SPF TXT records for the same domain, which causes SPF validation to fail.
Including unnecessary mechanisms like 'a' or 'mx' when sending exclusively through an ESP, potentially causing DNS lookup issues.
Not verifying SPF changes after implementation, leading to hidden deliverability problems.
Expert tips
Consider using a dedicated subdomain for each major ESP you use to simplify SPF management and minimize lookup counts.
Implement DMARC alongside SPF and DKIM to gain visibility into your email authentication results and catch misconfigurations.
Be mindful of the 10-DNS lookup limit for SPF records, as exceeding it will cause SPF to fail.
Expert view
Expert from Email Geeks says: You should consolidate all your SPF entries into a single record. For example, if you use Google Workspace and SendinBlue, your SPF record should include both _spf.google.com and spf.sendinblue.com in one line.
2021-06-29 - Email Geeks
Expert view
Expert from Email Geeks says: You can safely remove 'mx' mechanisms from your SPF record if you are not sending mail from the same server that accepts inbound mail for that domain, especially when using a third-party ESP.
