Troubleshooting Guides

Fixing Duplicate or Conflicting SPF Records

Fix duplicate SPF records by merging senders into one valid SPF TXT record, removing old providers and avoiding SPF conflicts.

By CheckDomainHealth Editorial Team Reviewed by Dionis Ceban Updated Jun 28, 2026 8 min read Intermediate

Introduction

A domain may publish only one SPF TXT record. When two or more TXT records start with v=spf1, receiving mail servers may return PermError or evaluate SPF unpredictably.

Duplicate SPF records often appear after adding a new email provider, enabling hosting mail, migrating from one workspace to another, or copying DNS between panels without merging old and new values.

Quick answer

Quick answer

Find every TXT record containing v=spf1 on the domain, list all active sending services, merge their include and ip4 mechanisms into one SPF record with a single final all policy, delete the extra SPF TXT records, verify lookup count stays under 10, then test again with SPF Checker.

Duplicate SPF records explained

SPF is published as a single TXT record at the root domain (or the Return-Path domain). If DNS contains multiple v=spf1 records, receivers cannot reliably determine which policy applies.

  • Only one v=spf1 TXT record is valid per domain
  • Duplicate records often come from old providers left in DNS
  • Hosting panels may add a second SPF automatically
  • Google, Microsoft and SendGrid records must be merged, not duplicated
  • Conflicting -all and ~all in separate records is invalid
  • Merged records must still respect the 10 DNS lookup limit
  • SPF permerror can break DMARC when SPF alignment is required

Do not publish two SPF records and hope receivers pick the right one. Merge senders into one record instead.

Why this matters

Why this matters

Duplicate SPF records can cause authentication failures, DMARC failures, spam folder placement and rejected mail — even when each individual record looks correct.

Cleaning up SPF early also makes it easier to add new providers later without exceeding the lookup limit.

How to check for duplicate SPF

  1. Run SPF Checker on the sending domain.
  2. Use DNS Lookup to list all TXT records on the root domain.
  3. Count how many TXT answers begin with v=spf1.
  4. Note includes, ip4 entries and the final all mechanism in each record.
  5. List every service that actually sends mail for the domain.
  6. Check SPF lookup count after planning the merged record.
  7. Send a test message and inspect SPF results in headers.

Check for duplicate SPF records

Use SPF Checker to list TXT records, detect multiple v=spf1 entries and count DNS lookups.

Run SPF Check →

Common problems

Two v=spf1 TXT records on root domain

High

DNS publishes separate SPF records instead of one merged policy.

Next step: Merge mechanisms into a single TXT record and delete the duplicate.

Hosting panel added default SPF

High

cPanel, Plesk or similar added mail SPF while an existing provider record remains.

Next step: Disable the panel default or merge it into your main SPF record.

Old email provider SPF remains

High

A previous workspace or SMTP provider was removed from mail flow but not from DNS.

Next step: Remove unused includes from the merged SPF record.

Separate Google and SendGrid SPF records

High

Each provider supplied a full standalone SPF record instead of one combined record.

Next step: Combine include:_spf.google.com and include:sendgrid.net in one v=spf1 record.

SPF published on wrong hostname

Medium

SPF exists on www or a subdomain instead of the Return-Path domain.

Next step: Publish SPF on the domain checked during SMTP envelope authentication.

TXT record copied incorrectly

Medium

Quotes, spaces or line breaks broke the TXT value during manual copy.

Next step: Republish the record exactly as the provider documents it.

Too many includes after merge attempt

Medium

Merging providers pushed SPF past the 10 DNS lookup limit.

Next step: Remove unused includes and simplify nested mechanisms.

Conflicting -all and ~all policies

High

Separate records use different final policies, which is invalid when duplicated.

Next step: Choose one final all mechanism in the single merged record.

Multiple DNS providers out of sync

Medium

An old DNS panel still publishes a second SPF record publicly.

Next step: Confirm authoritative nameservers and edit DNS only at the live provider.

DMARC fails after SPF cleanup needed

Medium

Duplicate SPF caused permerror, so DMARC alignment through SPF fails.

Next step: Fix SPF first, then verify DMARC alignment with a test message.

How to fix

  1. Step 1: Find all TXT records with v=spf1

    Use DNS Lookup or SPF Checker to list every SPF TXT record on the domain.

  2. Step 2: Identify active sending services

    Document workspace mail, transactional providers, CRM, newsletters, forms and hosting mail that actually send.

  3. Step 3: Merge into one SPF record

    Combine required include and ip4 mechanisms into a single v=spf1 TXT record.

  4. Step 4: Remove duplicate SPF records

    Delete extra v=spf1 TXT records so only one remains in DNS.

  5. Step 5: Keep one final all mechanism

    End the record with a single ~all or -all policy. Do not mix duplicate final policies.

  6. Step 6: Check the 10 lookup limit

    Verify merged SPF stays under 10 DNS lookups with SPF Checker.

  7. Step 7: Test SPF again

    Send a test message and confirm headers show spf=pass or the expected result.

  8. Step 8: Check DMARC alignment

    After SPF is valid, confirm DMARC passes with aligned SPF or DKIM.

Examples

Bad vs good SPF records
Bad — two SPF records:
example.com TXT "v=spf1 include:_spf.google.com ~all"
example.com TXT "v=spf1 include:sendgrid.net ~all"

Good — one merged record:
example.com TXT "v=spf1 include:_spf.google.com include:sendgrid.net ~all"

Use exact include values from your providers. Examples are illustrative and provider hostnames may differ.

Frequently asked questions

Can a domain have more than one SPF record?

No. RFC 7208 allows only one SPF record per domain. Multiple v=spf1 TXT records usually cause PermError or unpredictable results.

How do I find duplicate SPF records?

Query all TXT records on the root domain and count how many begin with v=spf1. SPF Checker and DNS Lookup both help.

Should I delete the old SPF record or merge it?

Merge active senders into one record, then delete the duplicates. Never leave two separate v=spf1 TXT records.

What if Google and SendGrid each gave me a full SPF record?

Combine their include mechanisms into one record with a single final all policy, such as ~all or -all.

Does duplicate SPF affect DMARC?

Yes. SPF may fail or return permerror, which can cause DMARC to fail when SPF is the aligned mechanism.

Can hosting panels create duplicate SPF automatically?

Yes. Some panels add a default SPF when you enable mail, which can duplicate an existing record from another provider.

How do I stay under the 10 lookup limit after merging?

Remove unused includes, avoid unnecessary a, mx and ptr mechanisms, and test lookup count with SPF Checker after merging.

Use these free tools to verify your configuration after applying changes.

Browse all Troubleshooting guides →

Need help applying this fix?

Send us your domain, report link or issue details. CheckDomainHealth will review the request and route it to the right technical team if hands-on support is needed.

Get Help Run Domain Health Check

Was this guide helpful?

Your feedback helps us improve our guides for everyone.