How should I combine SPF records and what domain should I use with SendinBlue?

Key findings

• Single SPF record: A domain or subdomain should only have one SPF TXT record published in its DNS. Having multiple records can lead to evaluation errors.
• Merging mechanisms: To accommodate multiple sending sources, all valid mechanisms (like include:, ip4:, mx, etc.) must be consolidated into a single SPF record, starting with v=spf1 and ending with a qualifier like ~all or -all.
• Envelope from authentication: SPF authenticates the envelope from (also known as the return-path or bounce domain), not the visible 'From' address seen by recipients.
• Subdomain for ESPs: It is generally recommended to use a dedicated subdomain (e.g., em.yourdomain.com) for sending emails through ESPs like SendinBlue. This practice helps isolate the reputation of your marketing emails from your main organizational domain.

Key considerations

• Unnecessary mechanisms: If you are not sending email from your main web server or mail server, you can often remove the a and mx mechanisms from your SPF record to simplify it and avoid potential issues, especially when using an ESP with a subdomain.
• Reputation isolation: Using a subdomain for marketing emails helps to separate the sender reputation of your bulk sends from your core business communications, protecting your main domain's deliverability.
• SPF validation tools: Always use an SPF validation tool, such as the one provided by dmarcian.com, to check for proper SPF record configuration and to identify any errors like multiple records or too many DNS lookups.
• Comprehensive authentication: Beyond SPF, ensure you have correctly configured DKIM and DMARC records to provide a full suite of email authentication for optimal deliverability. You can learn more in our guide to DMARC, SPF, and DKIM.

Key opinions

• Subdomain preference: It is strongly recommended to set up ESPs like SendinBlue with a subdomain (e.g., em.yourdomain.com) rather than the main organizational domain to protect sender reputation.
• SPF and envelope from: Marketers recognize that SPF authenticates the 'Envelope FROM' (or return-path/bounce domain), which is often different from the visible 'From' address and usually involves the ESP's domain or a configured subdomain. This is critical for alignment, as discussed in our guide on matching SPF records.
• Impact of multiple SPF records: Having two or more SPF records for the same domain will result in validation errors and should be resolved by merging them into a single record.
• ESP configuration guidance: ESPs like SendinBlue typically provide clear instructions and tools within their 'Senders & IPs' or 'domains' sections to help configure the necessary DNS records, including SPF.

Key considerations

• Protecting primary domain reputation: Marketers should always strive to separate the reputation of marketing emails from their main domain, as issues with bulk sending can negatively impact transactional or corporate email delivery.
• Verifying DNS changes: After making DNS changes for SPF, it's crucial to use online tools to verify that the records are correctly published and are not causing errors. For example, some users on Spiceworks Community discuss difficulties in combining multiple SPF records and the importance of verification.
• Sender tab setup: Even when using a subdomain for SPF, the visible 'From' address can still be whatever@yourdomain.com, maintaining brand consistency for the recipient.

Key opinions

• Single record necessity: Experts confirm that having more than one SPF TXT record for a domain will inevitably lead to evaluation errors, rendering SPF ineffective.
• Consolidated includes: The correct approach for multiple sending services (like a self-hosted mail server and SendinBlue) is to consolidate their SPF mechanisms, especially include: statements, into a single SPF record.
• Mechanism placement: While convention suggests placing a and mx mechanisms early in the SPF record, their exact position (after v=spf1) generally shouldn't affect evaluation, though adhering to convention is good practice.
• Conditional mechanism use: Mechanisms like a and mx are only necessary if the web server (for a) or mail server (for mx) associated with the domain is actually sending email on its behalf. If not, they can be safely removed.
• SPF scope: SPF authenticates the 'envelope from' address (also known as the return-path or bounce address), not the visible 'From' address. This is a crucial distinction for understanding how SPF aligns with email authentication protocols.

Key considerations

• DNS lookup limits: Be mindful of the 10 DNS lookup limit for SPF records. Each include:, a, mx, and ptr mechanism counts towards this limit. Exceeding it results in a PermError.
• Subdomain for ESPs: When using an ESP, configure it to send from a subdomain of your main domain. This allows for specific SPF records on the subdomain without interfering with the root domain's SPF record. This is especially true as Word to the Wise advises, that SPF authenticates the envelope sender.
• Corporate domain SPF: For your corporate domain, the mx mechanism might be useful, but if mail is handled by services like Google Workspace or Microsoft 365, it is often not strictly necessary as their SPF includes cover the relevant sending IPs.

Key findings

• One SPF record per domain: RFC 7208, the authoritative SPF specification, dictates that a domain or subdomain must only have one SPF TXT record. Publishing multiple SPF records leads to a PermError during evaluation.
• Consolidation required: If multiple email sending services are used for a domain, all their authorized IP addresses and 'include' mechanisms must be combined into this single SPF record. This is a common point emphasized by various guides on merging SPF records, such as those from FluentSMTP.
• Syntax and order: An SPF record must always start with v=spf1 and end with an 'all' mechanism (e.g., ~all, -all). The mechanisms are evaluated from left to right.
• DNS lookup limit: An SPF record must not cause more than 10 DNS lookups during its evaluation. Mechanisms like a, mx, ptr, and include each count as one lookup.

Key considerations

• Preventing PermError: To avoid SPF PermError caused by exceeding the 10 DNS lookup limit, carefully review your SPF record. Consolidate IP ranges where possible and remove unnecessary include statements.
• Choose 'all' qualifier wisely: The 'all' mechanism's qualifier defines how unauthorized senders are treated. -all (fail) rejects unauthorized mail, ~all (softfail) marks it as suspicious, and ?all (neutral) means it may or may not be authorized. Understanding the full form of SPF is key here.
• Regular validation: Regularly validate your SPF record using online tools to ensure it remains compliant, especially after adding or removing email services. This helps in fixing multiple SPF records and maintaining good deliverability.