How the New Email Uptime Monitoring Helps with Multiple SPF Records
SPF stands for Sender Policy Framework, and it is an email authentication protocol. The purpose of SPF is to check whether the email was sent from the person it says it is from. We showed how to create an SPF record and deploy it. And if you are reading this article you’ve probably encountered some issues with that. So let’s answer the burning question right away.
Can You Have Multiple SPF records?
No, you cannot. Well, technically, of course, you can, but you shouldn’t in your own interests as we’ll see in a minute.
But first, everything there is to know about Sender Policy Framework is defined by the Internet Engineering Task Force (IETF) in RFC4408, and it clearly states in section 3.1.2.:
“A domain name MUST NOT have multiple records that would cause an authorization check to select more than one record.”
This means that if you look at your TXT SPF record, there is only one ‘v=spf1’ in the whole record. If you see more — Houston, we have a problem.
Multiple SPF records is a very common issue. Usually, it is caused by working with third-party organizations, when a company is asked to create an SPF record while they forget they already have one.
A Consequence of Multiple SPF Records
Unfortunately, as a consequence SPF authentication will return PermError, meaning fail. One unwanted consequence of failed authentication is a decreased deliverability. Even though the initial purpose of the SPF record was to protect emails from being used by scammers, it undeniably can influence email inbox placement.
Mailbox providers (especially large and reputable ones) strive to ensure their users are not bombarded with spam or scam letters. And SPF record is one of the authentication layers that legitimate senders use to identify themselves and prove that they don’t bring any cyber-risk to the recipient.
One way to minimize the consequences of multiple SPF PermError is to use SPF uptime monitoring, and I’ll explain why in a moment. But first, how do you run an SPF record check if you don’t know whether you have the issue?
How to Run an SPF Record Check
There is a couple of options to run an SPF check — through a specific third-party tool like GlockApps (or with our free Gappie phone bot), or manually.
First of all, if you’re using GlockApps for spam testing, you will not miss this issue. Your sender authentication section will immediately show in red that there is a problem.
How to Run an SPF Record Check in GlockApps Validator
On the left side menu of your account scroll down to “Diagnostics” and click “SPF Validator”. Then simply enter your domain name, click the button, and get the results instantly. You will see your SPF record, its explanation, and tree representation. Here’s how your multiple SPF look.
How to Run an SPF Record Check from Phone
If you’re reading this article from the desktop/laptop, you can take your phone right now and run SPF check in seconds. Simply open your Telegram (or Slack if you have it), and search for Gappie. You’ll find our friendly blue dog bot that can check SPF, DMARC, MX records, PTR, and IP blacklistings, and even run quick deliverability test. Here’s the alert you get when you Gappie finds a multiple SPF record on your domain.
How to Run an SPF Record Check Manually
To check the record all by yourself use a nslookup. In a command line type:
nslookup -type=txt add a space and enter your domain name as in: “nslookup -type=txt glockapps.com”.
Now you have to be able to see your SPF record. Pay attention to ‘v=spf1’ — if there is more than one, you have an issue with multiple SPF records. Here’s an SPF record example:
SPF record #1:
v=spf1 include:_spf.google.com -all
SPF record #2:
v=spf1 include:amazonses.com -all
I Have Multiple SPF Records, What Do I Do?
The easiest way to deal with the issue is to simply merge the two records into one. Read the rest of the article: https://glockapps.com/blog/spf-record-uptime-monitoring/
