Email is the most important medium of communication for all types of businesses; business communications can not be imagined without email services so it has to be secure and maximum possible reliability. There are a couple of DNS changes like DKIM, DMARC, and SPF for business emails which help you make email communications secure and these configurations ultimately prevent your business email from email spam, phishing, spoofing etc.
If you have ever configured any business email then you might be also familiar with the SPF DNS record. SPF (Sender Policy Framework) is crucial to ensure the legitimacy of your emails. It’s basically an email authentication method and it helps the server authenticate that the emails appearing to come from the specific domain are sent from a server authorised by the domain owner, NOT from anywhere else like phishing or spoofing sites. We get the SPF record from your email service provider and it can be added as TXT-type records to DNS. SPF also ensures that your messages are delivered correctly.
Adding one SPF record is straightforward, you can go to your DNS setting and add the SPF as a new TXT-type record, and it will start reflecting after a couple of minutes or 24 hours in some scenarios. But, in case you are using different services for SMTP and email communications then you might need to add SPF for both service providers to avoid your email being flagged as spam.
For example, you are using Google’s GSuite of Zoho Business email and want to use Mailgun to send email from your website or application; in this case, you need to enter the SPF records for both service providers.
How To Use Multiple SPF Records In A Domain?
You may find a couple of ways to use the multiple SPF records for your domain, one of them is merging the SPF Records.
Now, let’s explore the step-by-step process of merging multiple SPF records to create a unified and efficient email authentication process. You need to be very careful while making changes to your DNS, you may also consider exporting the setting before making any changes to DNS to be on the safer side. While merging the SPF records, avoid duplication and ensure that you retain all necessary information. Pay close attention to include mechanisms such as ‘include,’ ‘a,’ and ‘mx’ that point to the authorized mail servers.
I am going to merge the SPF records of Google’s GSuite and Mailgun. The SPF records of Google’s GSuite is
v=spf1 include:_spf.google.com ~all
and the SPF record for Mailgun is
v=spf1 include:mailgun.org ~all
Now, before going further and merging them let’s take a look at some key pointers metadata or descriptions of the SPF records.
- v – SPF record starts with v=spf1, it identifies the record as the first version of SPF
- a – Indicates the address of your domain in an IP number.
- include – It tells the DNS to include this particular domain in the SPF setup of your domain. It allows emails to be authenticated through the same IPs allowed in the included domain.
- all – This mechanism defines how an email should be treated. Available qualifiers are as follows:
- +all – Is the default prefix so that it can be bypassed
- ?all – Adding this rule acts as if there’s no SPF, so it’s NOT recommended
- -all – If the email doesn’t comply with the set rules, it will be rejected and not sent
- ~all – If the email doesn’t comply with the set rules, it will be sent but tagged as SoftFail.
Note: If one of the records (or both) consists of an “mx” mechanism, it should also be included once.
Now, let’s merge the SPF records of Google G-Suite and Mailgun; with the above-mentioned records the final merged SPF records for G-Suite and Mailgun will be,
v=spf1 include:_spf.google.com include:mailgun.org ~all
You can also merge more than two SPF records; In fact, you can merge up to 10 SPF records as long as you only have 1 declaration at the start and 1 enforcement rule at the end of the SPF. Just be careful about the following points:
- You must format all SPF records in a single line.
- It can have a maximum of 10 domain lookups (i.e. include)
- The record must be less than 255 characters long. For example:
v=spf1 include:zoho.in include:spf.smtp.com include:mailgun.org ~all