Fixing Duplicate or Conflicting SPF Records
Fix duplicate SPF records by merging senders into one valid SPF TXT record, removing old providers and avoiding SPF conflicts.
Introduction
A domain may publish only one SPF TXT record. When two or more TXT records start with v=spf1, receiving mail servers may return PermError or evaluate SPF unpredictably.
Duplicate SPF records often appear after adding a new email provider, enabling hosting mail, migrating from one workspace to another, or copying DNS between panels without merging old and new values.
Quick answer
Find every TXT record containing v=spf1 on the domain, list all active sending services, merge their include and ip4 mechanisms into one SPF record with a single final all policy, delete the extra SPF TXT records, verify lookup count stays under 10, then test again with SPF Checker.
Duplicate SPF records explained
SPF is published as a single TXT record at the root domain (or the Return-Path domain). If DNS contains multiple v=spf1 records, receivers cannot reliably determine which policy applies.
- Only one v=spf1 TXT record is valid per domain
- Duplicate records often come from old providers left in DNS
- Hosting panels may add a second SPF automatically
- Google, Microsoft and SendGrid records must be merged, not duplicated
- Conflicting -all and ~all in separate records is invalid
- Merged records must still respect the 10 DNS lookup limit
- SPF permerror can break DMARC when SPF alignment is required
Do not publish two SPF records and hope receivers pick the right one. Merge senders into one record instead.
Why this matters
Duplicate SPF records can cause authentication failures, DMARC failures, spam folder placement and rejected mail — even when each individual record looks correct.
Cleaning up SPF early also makes it easier to add new providers later without exceeding the lookup limit.
How to check for duplicate SPF
- Run SPF Checker on the sending domain.
- Use DNS Lookup to list all TXT records on the root domain.
- Count how many TXT answers begin with v=spf1.
- Note includes, ip4 entries and the final all mechanism in each record.
- List every service that actually sends mail for the domain.
- Check SPF lookup count after planning the merged record.
- Send a test message and inspect SPF results in headers.
Check for duplicate SPF records
Use SPF Checker to list TXT records, detect multiple v=spf1 entries and count DNS lookups.
Common problems
Two v=spf1 TXT records on root domain
HighDNS publishes separate SPF records instead of one merged policy.
Next step: Merge mechanisms into a single TXT record and delete the duplicate.
Hosting panel added default SPF
HighcPanel, Plesk or similar added mail SPF while an existing provider record remains.
Next step: Disable the panel default or merge it into your main SPF record.
Old email provider SPF remains
HighA previous workspace or SMTP provider was removed from mail flow but not from DNS.
Next step: Remove unused includes from the merged SPF record.
Separate Google and SendGrid SPF records
HighEach provider supplied a full standalone SPF record instead of one combined record.
Next step: Combine include:_spf.google.com and include:sendgrid.net in one v=spf1 record.
SPF published on wrong hostname
MediumSPF exists on www or a subdomain instead of the Return-Path domain.
Next step: Publish SPF on the domain checked during SMTP envelope authentication.
TXT record copied incorrectly
MediumQuotes, spaces or line breaks broke the TXT value during manual copy.
Next step: Republish the record exactly as the provider documents it.
Too many includes after merge attempt
MediumMerging providers pushed SPF past the 10 DNS lookup limit.
Next step: Remove unused includes and simplify nested mechanisms.
Conflicting -all and ~all policies
HighSeparate records use different final policies, which is invalid when duplicated.
Next step: Choose one final all mechanism in the single merged record.
Multiple DNS providers out of sync
MediumAn old DNS panel still publishes a second SPF record publicly.
Next step: Confirm authoritative nameservers and edit DNS only at the live provider.
DMARC fails after SPF cleanup needed
MediumDuplicate SPF caused permerror, so DMARC alignment through SPF fails.
Next step: Fix SPF first, then verify DMARC alignment with a test message.
How to fix
-
Step 1: Find all TXT records with v=spf1
Use DNS Lookup or SPF Checker to list every SPF TXT record on the domain.
-
Step 2: Identify active sending services
Document workspace mail, transactional providers, CRM, newsletters, forms and hosting mail that actually send.
-
Step 3: Merge into one SPF record
Combine required include and ip4 mechanisms into a single v=spf1 TXT record.
-
Step 4: Remove duplicate SPF records
Delete extra v=spf1 TXT records so only one remains in DNS.
-
Step 5: Keep one final all mechanism
End the record with a single ~all or -all policy. Do not mix duplicate final policies.
-
Step 6: Check the 10 lookup limit
Verify merged SPF stays under 10 DNS lookups with SPF Checker.
-
Step 7: Test SPF again
Send a test message and confirm headers show spf=pass or the expected result.
-
Step 8: Check DMARC alignment
After SPF is valid, confirm DMARC passes with aligned SPF or DKIM.
Examples
Bad — two SPF records:
example.com TXT "v=spf1 include:_spf.google.com ~all"
example.com TXT "v=spf1 include:sendgrid.net ~all"
Good — one merged record:
example.com TXT "v=spf1 include:_spf.google.com include:sendgrid.net ~all"
Use exact include values from your providers. Examples are illustrative and provider hostnames may differ.
Frequently asked questions
Can a domain have more than one SPF record?
No. RFC 7208 allows only one SPF record per domain. Multiple v=spf1 TXT records usually cause PermError or unpredictable results.
How do I find duplicate SPF records?
Query all TXT records on the root domain and count how many begin with v=spf1. SPF Checker and DNS Lookup both help.
Should I delete the old SPF record or merge it?
Merge active senders into one record, then delete the duplicates. Never leave two separate v=spf1 TXT records.
What if Google and SendGrid each gave me a full SPF record?
Combine their include mechanisms into one record with a single final all policy, such as ~all or -all.
Does duplicate SPF affect DMARC?
Yes. SPF may fail or return permerror, which can cause DMARC to fail when SPF is the aligned mechanism.
Can hosting panels create duplicate SPF automatically?
Yes. Some panels add a default SPF when you enable mail, which can duplicate an existing record from another provider.
How do I stay under the 10 lookup limit after merging?
Remove unused includes, avoid unnecessary a, mx and ptr mechanisms, and test lookup count with SPF Checker after merging.
Related tools
Use these free tools to verify your configuration after applying changes.
Related guides
Browse all Troubleshooting guides →Need help applying this fix?
Send us your domain, report link or issue details. CheckDomainHealth will review the request and route it to the right technical team if hands-on support is needed.
Was this guide helpful?
Your feedback helps us improve our guides for everyone.
Thanks for your feedback!