Combine multiple SPF includes into a single TXT record at your apex domain. Example: `v=spf1 include:_spf.google.com include:sendgrid.net include:mailchimp.com ~all`. You can only have one SPF record per domain. Watch the 10-DNS-lookup limit — each include counts. Use SPF flattening services if you approach the limit.
SPF With Multiple Email Providers: Combining Records Safely
When you add a new email provider — Google Workspace for staff mail, SendGrid for transactional, Mailchimp for marketing — you need to add it to your SPF record. The mistake people make is creating a second SPF record instead of combining. Multiple SPF records is the single most common SPF misconfiguration I see, and it causes silent SPF failures across all senders.
This guide covers how to combine providers correctly, the 10-lookup limit that bites enterprise senders, and the flattening pattern for when you outgrow includes.
One SPF record per domain. Always.
RFC 7208 is explicit: a domain can have at most one SPF record. If you publish two, SPF evaluation returns permerror and your mail fails authentication.
# WRONG - two SPF records
yourdomain.com. TXT "v=spf1 include:_spf.google.com ~all"
yourdomain.com. TXT "v=spf1 include:sendgrid.net ~all"
# RIGHT - one SPF record with multiple includes
yourdomain.com. TXT "v=spf1 include:_spf.google.com include:sendgrid.net ~all"
Test with dig TXT yourdomain.com and visually scan for multiple v=spf1 strings. If you see more than one, that's your problem.
Combining common providers
Here are the canonical SPF includes for the major providers. Add the ones you actually use:
| Provider | SPF include |
|---|---|
| Google Workspace | include:_spf.google.com |
| Microsoft 365 | include:spf.protection.outlook.com |
| SendGrid | include:sendgrid.net |
| Mailgun | include:mailgun.org |
| Postmark | include:spf.mtasv.net |
| Mailchimp | include:servers.mcsv.net |
| Klaviyo | include:_spf.klaviyo.com |
| HubSpot | include:_spf.hubspotemail.net |
| Constant Contact | include:spf.constantcontact.com |
| Brevo | include:spf.brevo.com |
| ActiveCampaign | include:spf.activehosted.com |
| Zoho | include:zoho.com |
| AWS SES | include:amazonses.com |
| Resend | include:_spf.resend.com |
A combined record for a company using Google Workspace + SendGrid + Mailchimp:
yourdomain.com. TXT "v=spf1 include:_spf.google.com include:sendgrid.net include:servers.mcsv.net ~all"
For the foundational SPF concepts, see the SPF setup guide.
The 10-lookup limit
SPF evaluation is limited to 10 DNS lookups per RFC 7208. Each include counts as one. Each include's own includes count too — _spf.google.com resolves three internal includes (_netblocks.google.com, _netblocks2, _netblocks3), so it consumes 4 lookups by itself in practice.
Lookup counts per provider (as of mid-2026, subject to change):
| Provider | Lookups consumed |
|---|---|
| Google Workspace | 4 |
| Microsoft 365 | 3 |
| SendGrid | 2 |
| Mailgun | 1 |
| Mailchimp | 4 |
| Klaviyo | 2 |
| HubSpot | 3 |
Add Google Workspace + Microsoft 365 + Mailchimp + HubSpot and you're at 14 lookups — over the limit. SPF returns permerror, mail fails.
Check current lookup count with mxtoolbox SPF Surveyor (free) or the kitterman.com SPF validator.
Practitioner note: Microsoft 365 publishes
spf.protection.outlook.comas a single include, but internally it expands to multiple includes that themselves expand. The expansion can change. I've had clients hit permerror after Microsoft restructured their SPF includes mid-2024 without warning. Audit SPF lookup count quarterly.
SPF flattening
When you exceed 10 lookups, flattening is the workaround. Replace include mechanisms with their resolved IPs:
# Before (uses includes)
v=spf1 include:_spf.google.com include:sendgrid.net ~all
# After flattening (uses IPs directly)
v=spf1 ip4:35.190.247.0/24 ip4:64.233.160.0/19 ip4:66.102.0.0/20
ip4:167.89.0.0/17 ip4:169.45.94.16/29 ~all
Flattened records use 0 lookups regardless of how many providers you've inlined. The trade-off: when your providers change their IPs (which they do), your flattened record goes stale and starts hard-failing legitimate mail.
Use a managed flattening service:
- EasyDMARC — paid, auto-updates
- dmarcian — paid, auto-updates
- Scott Helme's SPF tools — free reference, manual update
- Mailhardener — paid, auto-updates
These services publish a synthetic include for you (e.g., include:spf.youragency.com) that they keep flattened on their end. When provider IPs change, they update their record and you inherit it.
For deeper coverage of flattening, see SPF flattening.
SPF mechanism qualifiers
The mechanism qualifier at the end of your SPF record matters:
| Qualifier | Meaning | Use case |
|---|---|---|
~all | SoftFail | Recommended default — mail still accepted but marked |
-all | HardFail | Stricter — mail rejected if SPF fails. Use after monitoring |
?all | Neutral | No assertion. Avoid |
+all | Pass everything | Never use — equivalent to no SPF |
Start with ~all while monitoring DMARC reports. Move to -all once you've confirmed all legitimate sources are in the record and DMARC reports show consistent SPF alignment.
A real-world example
A SaaS company sending from:
- Google Workspace (staff mail)
- SendGrid (transactional via app)
- Mailgun (alerts via separate service)
- Klaviyo (ecommerce marketing)
- HubSpot (CRM/marketing automation)
Naive combined record:
v=spf1 include:_spf.google.com include:sendgrid.net include:mailgun.org
include:_spf.klaviyo.com include:_spf.hubspotemail.net ~all
Lookup count: roughly 4 + 2 + 1 + 2 + 3 = 12. Over limit.
Fix: use a subdomain for non-staff sending and put a dedicated SPF on each:
# Staff mail (apex domain)
yourdomain.com. TXT "v=spf1 include:_spf.google.com ~all"
# Marketing subdomain
mail.yourdomain.com. TXT "v=spf1 include:_spf.klaviyo.com include:_spf.hubspotemail.net ~all"
# Transactional subdomain
app.yourdomain.com. TXT "v=spf1 include:sendgrid.net include:mailgun.org ~all"
Each is well under the limit, and reputation is properly segmented.
Practitioner note: Subdomain separation is the cleanest solution for SPF overflow at scale. It also gives you per-segment DMARC policies — marketing on
p=quarantine, transactional onp=reject, staff onp=reject. The DNS overhead is trivial.
If you're hitting the SPF lookup limit or trying to figure out how to combine multiple providers cleanly, book a consultation. I do SPF audits and subdomain strategy for multi-ESP environments.
Sources
- RFC 7208 — SPF — IETF
- MXToolbox SPF lookup limit — MXToolbox
- Google Workspace SPF documentation — Google
- Microsoft 365 SPF setup — Microsoft
- SPF flattening explainer — EasyDMARC
v1.0 · May 2026
Frequently Asked Questions
Can I have multiple SPF records for one domain?
No. RFC 7208 specifies one SPF record per domain. Multiple records cause SPF to fail with a 'permerror' result. Combine all your sending providers into a single TXT record with multiple include: mechanisms. This is the most common SPF configuration mistake.
How do I combine SPF records for multiple ESPs?
Create one TXT record with all includes: `v=spf1 include:_spf.google.com include:sendgrid.net include:_spf.mailchimp.com ~all`. Order doesn't matter for lookups. Test with mxtoolbox.com SPF checker after publishing. Confirm the record resolves correctly with `dig TXT yourdomain.com`.
What's the SPF 10-lookup limit?
RFC 7208 limits SPF evaluation to 10 DNS lookups total (counting include, a, mx, ptr, exists mechanisms and any nested lookups). Exceed it and SPF returns 'permerror' and fails. Each include: counts as one, plus any includes inside that include. Track lookups with mxtoolbox SPF checker.
What is SPF flattening and when do I need it?
SPF flattening replaces include: mechanisms with the resolved IP addresses to reduce lookup count. Tools like EasyDMARC, dmarcian, and Scott Helme's SPF tools generate flattened records automatically. You need flattening when you hit 10+ lookups and can't remove a provider. Flattened records need re-flattening when included providers change their IPs.
How do I check my SPF record?
Use `dig TXT yourdomain.com` from the command line to view the raw record. Use mxtoolbox.com/spf.aspx or kitterman.com/spf/validate.html for syntax and lookup-count validation. Send a test message to mail-tester.com to confirm SPF passes in actual mail flow.
Want this handled for you?
Free 30-minute strategy call. Walk away with a plan either way.