How the New Email Uptime Monitoring Helps with Multiple SPF Records

SPF stands for Sender Policy Framework, and it is an email authentication protocol. The purpose of SPF is to check whether the email was sent from the person it says it is from. We showed how to create an SPF record and deploy it. And if you are reading this article you’ve probably encountered some issues with that. So let’s answer the burning question right away.

Can You Have Multiple SPF records?

No, you cannot. Well, technically, of course, you can, but you shouldn’t in your own interests as we’ll see in a minute.

But first, everything there is to know about Sender Policy Framework is defined by the Internet Engineering Task Force (IETF) in RFC4408, and it clearly states in section 3.1.2.:

“A domain name MUST NOT have multiple records that would cause an authorization check to select more than one record.”

This means that if you look at your TXT SPF record, there is only one ‘v=spf1’ in the whole record. If you see more – Houston, we have a problem.

Multiple SPF records is a very common issue. Usually, it is caused by working with third-party organizations, when a company is asked to create an SPF record while they forget they already have one.

A Consequence of Multiple SPF Records

Unfortunately, as a consequence SPF authentication will return PermError, meaning fail. One unwanted consequence of failed authentication is a decreased deliverability. Even though the initial purpose of the SPF record was to protect emails from being used by scammers, it undeniably can influence email inbox placement.

Mailbox providers (especially large and reputable ones) strive to ensure their users are not bombarded with spam or scam letters. And SPF record is one of the authentication layers that legitimate senders use to identify themselves and prove that they don’t bring any cyber-risk to the recipient.

One way to minimize the consequences of multiple SPF PermError is to use SPF uptime monitoring, and I’ll explain why in a moment. But first, how do you run an SPF record check if you don’t know whether you have the issue?

How to Run an SPF Record Check

There is a couple of options to run an SPF check – through a specific third-party tool like GlockApps (or with our free Gappie phone bot), or manually.

First of all, if you’re using GlockApps for spam testing, you will not miss this issue. Your sender authentication section will immediately show in red that there is a problem.

GlockApps spam test also checks your authentication records
and multiple SPF won’t be unnoticed

How to Run an SPF Record Check in GlockApps Validator

On the left side menu of your account scroll down to “Diagnostics” and click “SPF Validator”. Then simply enter your domain name, click the button, and get the results instantly. You will see your SPF record, its explanation, and tree representation. Here’s how your multiple SPF look.

GlockApps SPF validator provides a detailed explanation of your SPF record

How to Run an SPF Record Check from Phone

If you’re reading this article from the desktop/laptop, you can take your phone right now and run SPF check in seconds. Simply open your Telegram (or Slack if you have it), and search for Gappie. You’ll find our friendly blue dog bot that can check SPF, DMARC, MX records, PTR, and IP blacklistings, and even run quick deliverability test. Here’s the alert you get when you Gappie finds a multiple SPF record on your domain.

Gappie bot will spot multiple SPF record right from your phone

How to Run an SPF Record Check Manually

To check the record all by yourself use a nslookup. In a command line type:

nslookup -type=txt add a space and enter your domain name as in: “nslookup -type=txt glockapps.com”.

Now you have to be able to see your SPF record. Pay attention to ‘v=spf1’ – if there is more than one, you have an issue with multiple SPF records. Here’s an SPF record example:

SPF record #1:

v=spf1 include:_spf.google.com -all

SPF record #2:

v=spf1 include:amazonses.com -all

I Have Multiple SPF Records, What Do I Do?

The easiest way to deal with the issue is to simply merge the two records into one. Let’s look at our SPF record example:

SPF record #1:

v=spf1 include:_spf.google.com -all

SPF record #2:

v=spf1 include:amazonses.com -all

To merge these two you must follow a couple of simple rules:

1. There must be only one ‘v=spf1’, and it must be only at the beginning of the record.
2. There must be only one ‘all’ mechanism, and it must be only at the end of the record.

And voila:

v=spf1 include:_spf.google.com include:amazonses.com -all

Read also: How to Optimize Your SPF Record

SPF Uptime Monitoring as Your Safety Net

Usually, when we say uptime monitor, we think about website monitoring. But at GlockApps we’re fans of email, so we’ve decided to apply the same technique to the monitoring of authentication records. How can email uptime monitoring help with multiple SPF records issue?

It saves you time. Time while you could be unaware of the problem, time during which your deliverability rate could be declining and more emails would be ending up in spam folder. Using an uptime monitor for your SPF record you can set check time for as often as every minute. And if any issue occurs (like an SPF misconfiguration) you will immediately receive an alarm so you could remove the issue as soon as possible.

GlockApps SPF Uptime Monitor multiple SPF record status

It’s not unusual for an SPF record error to happen, but using an uptime monitor you will instantly know that something went wrong.

With GlockApps Uptime Monitor free trial, you get:

• Free system monitors (HTTP/TCP/TLS Monitors, SPF/DKIM/DMARC Monitors);
• 14-day trial of the IP reputation monitors;
• 1-minute monitoring interval;
• Instant notifications when DMARC Fails.

If you use DMARC Analytics, you automatically get to use free DMARC monitoring, SPF, and DKIM monitoring.