Having more than one SPF record
If you publish two TXT records with v=spf1, receivers discard both as invalid.
How to fix it: Consolidate into a single record with all the necessary includes.
Sender Policy Framework
Sender Policy Framework is the DNS record that tells receiving servers which IPs and servers are allowed to send mail using your domain in the sender address. Without a properly configured SPF, your campaigns end up in spam or get rejected.
SPF (Sender Policy Framework) is an open standard defined in RFC 7208. It works like an allowlist: you publish in your domain's DNS which servers are authorized to send mail on your behalf.
When Gmail, Outlook, or any receiving server gets a mail with sender "@yourdomain.com", it checks the domain's SPF record. If the sending server's IP is on the list, the mail passes SPF verification. If not, it's treated as suspicious.
Without SPF, anyone can forge your sender address (spoofing). With a misconfigured SPF, your legitimate mail lands in spam.
Real example
v=spf1 include:_spf.arrobamail.com ~all
v=spf1Version
Indicates this is an SPF version 1 record. Mandatory at the start.
include:_spf.arrobamail.comInclude mechanism
Imports arrobaMail's authorized servers. You can have several includes (one per provider that sends on your behalf).
~allPolicy
~all = softfail (mark as suspicious). -all = hardfail (reject). ?all = neutral. Start with ~all and move to -all once you're confident.
Steps in order. Skipping one usually leads to problems that take days to diagnose.
List each tool that sends email using your domain: your marketing platform (arrobaMail), Google Workspace, Microsoft 365, CRM, ticketing system, transactional senders, etc.
Tip: If you forget one, its mail will fail SPF.
Each platform publishes its own include. arrobaMail's is include:_spf.arrobamail.com. Google's is include:_spf.google.com. Outlook's is include:spf.protection.outlook.com.
Your domain must have exactly one SPF record (not multiple). Combine all includes into a single line: v=spf1 include:_spf.arrobamail.com include:_spf.google.com ~all.
Tip: Having two SPF records is a very common mistake that invalidates authentication.
In your DNS provider (Cloudflare, GoDaddy, Route53, etc.) create a TXT record with Name = @ (or your root domain) and Value = the SPF string you built.
Propagation can take anywhere from minutes to 24 hours. Use the verification tools from the next step to confirm it's active and error-free.
If you publish two TXT records with v=spf1, receivers discard both as invalid.
How to fix it: Consolidate into a single record with all the necessary includes.
SPF has a hard limit of 10 lookups (each include counts as one or more). Exceeding it causes a permerror.
How to fix it: Audit your includes and remove providers you no longer use. If you're still over 10, use manual flattening or SPF flattener tools.
A record without ~all or -all implicitly defaults to ?all (neutral), leaving the door open to spoofing.
How to fix it: Always close with ~all (safe initial mode) and move to -all once you confirm all your sends pass.
If you jump straight to -all with incomplete includes, your legitimate mail will be rejected with no chance of review.
How to fix it: Start with ~all, monitor DMARC reports for a few weeks, and only then move to -all.
Three ways to check — from your terminal or online tools. If all of them return OK, you're done.
Linux/Mac terminal
dig TXT tudominio.com +short
Returns the SPF string if it's published.
Windows PowerShell
Resolve-DnsName -Type TXT tudominio.com
Lists the TXT records, including the SPF one.
Online
mxtoolbox.com/spf.aspx
Full analysis with error and warning detection.
How arrobaMail handles it
At arrobaMail we help you configure SPF step by step from the dashboard: we give you the exact include, validate the syntax of the record you want to publish, and monitor verification once it's active.
No. Only one SPF record (a single TXT with v=spf1) is allowed per domain. Having two invalidates authentication. What you can have is multiple includes within that single record.
Not automatically. Each subdomain can have its own SPF. If you don't set one, behavior depends on the receiver — some consider the root domain's SPF, others treat it as having no policy. The safest approach is to publish SPF on subdomains you send from too.
It depends on your DNS's TTL. For most providers it's between 5 minutes and 4 hours. In extreme cases, up to 24-48 hours. Cloudflare usually propagates in under 5 minutes.
If you have ~all, receivers flag it as suspicious (it may land in spam). If you have -all, they reject it outright. That's why it's crucial to list every legitimate service before moving to -all.
No. They're complementary. SPF authenticates the sending server. DKIM authenticates the message content with a cryptographic signature. DMARC combines both and enforces a policy. Ideally, you have all three in place.
DomainKeys Identified Mail
Firma criptográfica que prueba autenticidad e integridad del mensaje.
Read guideDomain-based Message Authentication
Política y reportes sobre lo que pasa cuando SPF o DKIM fallan.
Read guideCalentamiento de dominio e IP
Aumento gradual del volumen para construir reputación buena.
Read guideFree plan, AI generations included, no credit card required — and real support from a real team.