When using multiple sending services, add each service's SPF include to one SPF record (watch the 10 DNS lookup limit), configure DKIM for each service on your domain, and use DMARC aggregate reports to verify alignment for all senders. If you hit the SPF 10-lookup limit, use subdomain delegation (marketing.domain.com, support.domain.com) to distribute SPF records across subdomains, or use SPF flattening to reduce lookups.
SPF, DKIM, DMARC for Multiple Sending Services: The Architecture Guide
The Real-World Problem
Your business doesn't use one email service. You use five. Or seven:
- Google Workspace for employee email
- Klaviyo for marketing campaigns
- SendGrid for transactional (order confirmations, password resets)
- GoHighLevel for automation sequences
- HubSpot for sales outreach
- Zendesk for support tickets
- Calendly for booking confirmations
Every one of these services sends email "from" your domain. Every one needs proper authentication. And SPF's 10-lookup limit means you can't just keep adding include: directives forever.
This is the authentication architecture guide that nobody else has written.
The SPF Problem
Counting Your Lookups
Each include: in your SPF record costs DNS lookups. But it's not 1:1 — included records chain to other lookups:
| Service | Include | Typical Lookup Cost |
|---|---|---|
| Google Workspace | include:_spf.google.com | 3-4 lookups |
| Microsoft 365 | include:spf.protection.outlook.com | 2-3 lookups |
| SendGrid | include:sendgrid.net | 1 lookup |
| Mailgun | include:mailgun.org | 1 lookup |
| Klaviyo | include:_spf.klaviyo.com | 1-2 lookups |
| HubSpot | include:spf.hubspot.com | 2 lookups |
| Zendesk | include:mail.zendesk.com | 1-2 lookups |
| Freshdesk | include:email.freshdesk.com | 1-2 lookups |
Google Workspace alone can consume 4 of your 10 lookups. Add Klaviyo, SendGrid, and HubSpot and you're at 10. Add Zendesk and you've exceeded the limit — breaking SPF for everything.
Solution 1: Subdomain Delegation
The cleanest solution. Route different services through different subdomains:
yourdomain.com → Google Workspace (employee email)
marketing.yourdomain.com → Klaviyo (marketing campaigns)
mail.yourdomain.com → SendGrid (transactional)
crm.yourdomain.com → HubSpot (sales email)
support.yourdomain.com → Zendesk (support tickets)
Each subdomain gets its own SPF record:
yourdomain.com TXT v=spf1 include:_spf.google.com -all
marketing.yourdomain.com TXT v=spf1 include:_spf.klaviyo.com -all
mail.yourdomain.com TXT v=spf1 include:sendgrid.net -all
crm.yourdomain.com TXT v=spf1 include:spf.hubspot.com -all
support.yourdomain.com TXT v=spf1 include:mail.zendesk.com -all
Each stays well under 10 lookups. No conflicts. Clean separation.
Important: Configure each service to send from its subdomain (e.g., set Klaviyo's sending domain to marketing.yourdomain.com). The From: address becomes [email protected].
Solution 2: SPF Flattening
If subdomains aren't an option (brand requirements, legacy systems), SPF flattening replaces include: mechanisms with the resolved IP addresses:
Before flattening:
v=spf1 include:_spf.google.com include:sendgrid.net include:mailgun.org include:_spf.klaviyo.com -all
After flattening:
v=spf1 ip4:209.85.128.0/17 ip4:74.125.0.0/16 ip4:167.89.0.0/17 ip4:198.2.128.0/18 ... -all
IP lookups don't count toward the 10-lookup limit. However:
- IPs change. ESPs add and remove IPs regularly. You need automated flattening.
- Tools: AutoSPF, EasyDMARC SPF flattening, dmarcian SPF management
- Risk: If an ESP changes IPs and your flattened record isn't updated, their email fails SPF
Subdomain delegation is more reliable. Use flattening only when subdomains aren't feasible.
DKIM: No Limits, Configure Everything
Unlike SPF, DKIM has no lookup limit. You can have unlimited DKIM selectors on your domain.
Configure DKIM for every sending service:
google._domainkey.yourdomain.com → Google Workspace DKIM
k1._domainkey.yourdomain.com → Klaviyo DKIM
s1._domainkey.yourdomain.com → SendGrid DKIM
smtp._domainkey.yourdomain.com → Mailgun DKIM
hsm._domainkey.yourdomain.com → HubSpot DKIM
Each service provides its DKIM public key or CNAME. Add them all. They don't interfere with each other.
DKIM is your safety net. Even if SPF fails (common with forwarding), DKIM alignment saves your DMARC result. Prioritize DKIM configuration for every sender.
DMARC: Monitor Everything
With multiple senders, DMARC aggregate reports are essential. They show you:
- Every IP/service sending as your domain
- Whether each passes or fails SPF
- Whether each passes or fails DKIM
- Alignment status
Setup:
_dmarc.yourdomain.com TXT v=DMARC1; p=none; rua=mailto:[email protected]
The Process:
- Start at
p=noneand collect reports for 4 weeks - Use dmarcian or Postmark DMARC to parse reports
- Identify every legitimate sender — authorize them
- Identify any unauthorized senders — investigate
- Once all legitimate traffic passes, advance to
p=quarantine - After 2 more weeks clean, advance to
p=reject
Practitioner note: The SPF 10-lookup limit is the #1 authentication issue I fix for businesses. They add services over time without checking lookup count, then wonder why deliverability suddenly dropped. The permerror is silent — your email still sends, it just fails SPF everywhere.
Practitioner note: Subdomain delegation is the correct solution for any business using more than 3 sending services. Yes, it means your marketing emails come from marketing.yourdomain.com instead of yourdomain.com. The deliverability benefit far outweighs the branding inconvenience.
Practitioner note: When I audit a company's email authentication, I usually find 1-2 services sending email that nobody on the current team even remembers authorizing. A sales team trial of Outreach from 2 years ago, a Calendly integration someone forgot about. DMARC reports reveal all of them.
For the individual setup guides, see SPF setup, DKIM setup, and DMARC setup. For the lookup limit problem in detail, see the SPF 10-lookup limit guide. If managing authentication across multiple services feels overwhelming, schedule a consultation — I audit multi-service setups and configure authentication architecture that scales without breaking.
Sources
- RFC 7208: SPF (Section 4.6.4 — DNS Lookup Limits)
- RFC 6376: DKIM
- RFC 7489: DMARC
- Google: SPF Record Setup
v1.0 · March 2026
Frequently Asked Questions
How many email services can I have in one SPF record?
SPF allows 10 DNS lookups. Each 'include:' mechanism typically costs 1-3 lookups (the included record may chain to other lookups). With 3-4 services, you're often at the limit. Five or more services almost always exceeds it. Use MXToolbox SPF lookup to count your current lookups.
What happens when I exceed the SPF 10-lookup limit?
SPF returns a 'permerror' result, which means SPF effectively fails for ALL email. Some receivers treat permerror as a hard fail. This silently breaks authentication for every service in your SPF record — not just the extra ones.
Should I use subdomains for different senders?
Yes, this is the best practice for complex setups. Use marketing.domain.com for Klaviyo, support.domain.com for Zendesk, notifications.domain.com for transactional. Each subdomain gets its own SPF record with room under the 10-lookup limit.
Do I need separate DKIM for each service?
Yes. Each sending service should sign with its own DKIM selector on your domain. This doesn't have a limit like SPF — you can have unlimited DKIM selectors. Each uses a different DNS record (e.g., k1._domainkey, s1._domainkey).
How do I make sure DMARC passes for all my senders?
DMARC passes when EITHER SPF or DKIM aligns with your From: domain. Configure DKIM for all services (this is the most reliable alignment method). SPF alignment is a bonus but breaks easily with forwarding. Start DMARC at p=none and review aggregate reports to verify all services pass.
Want this handled for you?
Free 30-minute strategy call. Walk away with a plan either way.