Defaults.Exposed › Reports
Can a Domain Have Two SPF Records? No — a Million Domains Just Voided Their Own (2026)
Published 2026-07-03
Figures as of 2026-06-29 · methodology v7. Aggregate census across 261 million graded domains. All figures aggregate — never an individual business’s record. See how we grade.
No — a domain may publish exactly one SPF record, and getting this wrong switches SPF off entirely: 1,013,416 domains currently publish two or more, which under RFC 7208 makes all of a domain’s SPF records invalid. Not the newest, not the oldest — every one. A receiver that finds multiple v=spf1 records must return a permanent error, which means no SPF protection at all, on a domain that looks to its owner like it has double the protection.
Why do two SPF records equal zero?
The standard is blunt: a domain’s SPF policy must be a single TXT record starting v=spf1 (RFC 7208 §3.2; the error result is prescribed in §4.5). If a lookup finds more than one, the receiver cannot know which is authoritative — so the standard forbids guessing. Standards-conformant receivers must return PermError: evaluation fails permanently.
And a PermError is not neutral. DMARC treats it as a fail on the SPF leg — so a domain that duplicated its record has voided its protection and handicapped its own legitimate mail’s authentication. It is one of the very few DNS mistakes where adding protection removes it (publishing two DMARC records does the same thing to DMARC).
Roughly 1 in 138 domains that attempt SPF have done this to themselves.
How does it happen? The onboarding copy-paste
Almost nobody writes a second SPF record on purpose. It happens the day you add an email tool:
- Your domain already has
v=spf1 include:spf.protection.outlook.com -allfrom your mailbox provider. - You sign up for a newsletter platform, CRM or invoicing tool.
- Its setup guide says: “Add this TXT record to your DNS:
v=spf1 include:newtool.example.com ~all.” - You do exactly what it says — you add it, next to the old one.
Two records now exist, and both are void. The guide said “add”, and adding is the one thing the standard doesn’t allow; the correct move — merging the new include: into the existing record — is mentioned by almost no onboarding flow.
The failure is invisible from the DNS panel: both records look individually well-formed, and mail mostly still arrives because receivers fall back to other signals. Nothing alerts you until a spoof lands or deliverability sags.
How to check and fix it — two minutes, free
- Look up your domain’s TXT records (
dig TXT yourdomain.com, or use our free check). - Count the records that start
v=spf1. The only safe number is 1. - If you have more: merge them — every
include:andip4:/ip6:mechanism into a single record with one terminal qualifier (see~allvs-all) — and delete the rest.
Before: v=spf1 include:spf.protection.outlook.com -all
v=spf1 include:servers.mcsv.net ~all
After: v=spf1 include:spf.protection.outlook.com include:servers.mcsv.net -all
As you merge, keep an eye on the 10-lookup limit — too many include: mechanisms break SPF a different way.
Frequently asked questions
Are multiple SPF records allowed?
No. RFC 7208 permits exactly one v=spf1 record per domain; two or more cause a permanent error that voids SPF entirely. 1,013,416 domains are in this state as of 2026-06-29.
Does the second SPF record override the first? Neither wins. A receiver finding multiple records must fail the evaluation rather than choose — so all of them stop working at once.
How do I combine two SPF records into one?
One record, starting v=spf1, containing every include: and IP mechanism from all of them, ending in a single -all or ~all. Delete the extras, then verify your lookup count survived the merge.
Why does my email still work with two SPF records? Receivers that hit the error usually proceed without SPF, so your mail rides on reputation and DKIM. What you’ve lost is protection — nothing rejects a forger — and your DMARC evaluations lose their SPF leg. Working mail and working SPF are different things.
Check whether your domain is one of the million
A 30-second look either clears you or hands you a two-minute merge.
Check your domain → · Fix SPF → · The SPF PermError report → · The SPF maturity model → · Aggregate data only. Data stored and processed in the EU.