RFC 7208 requires a single SPF record for SPF validation. Multiple records will lead to the disregard of domain checks.
The Sender Policy Framework (SPF) is a system designed to specify which email services or servers are authorized to send emails on behalf of your domain. At it’s core, SPF requires a text record hosted on your DNS servers that indicates the email service providers and servers allowed to send emails for your domain.
When other email servers receive an email claiming to be from your domain, they can check your SPF record to verify whether the email originated from an authorized server listed in that record. If the sending server is not included in the SPF record, the email should be treated as spam, providing a layer of protection against domain spoofing and guarding the reputation of your domain.
SPF is a standardized framework with strict rules, ensuring that email servers worldwide know precisely what to search for and what a valid SPF record should contain. A key requirement of the SPF framework is that there should only be one SPF record per domain. If there are multiple records, email servers may ignore all of them or only use one, potentially rendering your SPF implementation ineffective. The standard for SPF (RFC 7208) suggests that multiple SPF records MUST NOT be provisioned, therefore creating multiple SPF records is a standards violation.
To resolve the issue of multiple SPF records, review your DNS text records to cheque for any duplicates. If you find multiple SPF records, investigate to identify which records are legitimate. It’s possible that some SPF records are outdated and have not been removed, so it’s essential to clarify which record is correct.
If you have multiple SPF records or if various email service providers or servers have created their own SPF records, you will need to consolidate them into a single SPF entry. This can typically be done by merging the valid entries into one comprehensive record that lists all authorized email sources. For detection of your SPF records and assistance in consolidating your records to a valid format book in a SkySiege Cloud Assessment to automatically detect domains with invalid SPF records and the appropriate corrective action:
SkySiege Cloud Security Assessments scan for this issue and provide same-day reports..
Available for individual projects or organisations.
