The 1-record rule: why your domain can only have one SPF
The single most common cold-email deliverability bug: two SPF records on the same domain. Here is why it breaks SPF entirely.
Rejwan Nirob·Mar 22, 2026·4 min readEvery week we onboard a domain with two SPF records. Sometimes three. The senders are convinced everything is fine because their email is "going through." It is not. SPF has failed silently the entire time.
What the spec says
RFC 7208 is unambiguous. A domain MUST have at most one SPF record. If two records exist, the receiving server MUST treat the SPF check as PermError - the same outcome as if no SPF existed at all. PermError is not a friendly state. It tanks DMARC alignment, and most modern receivers treat it as a strong negative signal.
How it usually happens
A team adds Google Workspace to a domain. The wizard suggests an SPF record. Done. Six months later, marketing adds Mailchimp. The Mailchimp setup wizard suggests a different SPF record. Both records get published. Now the domain has two TXT records starting with v=spf1, and SPF has silently broken.
The fix: merge, do not append
- Combine all sending sources into a single SPF record
- Order by likelihood - most common sender first
- Stay under 10 DNS lookups (the SPF maximum) - use ip4: and ip6: directly when you can
- End with a single qualifier - ~all is the safe default for cold email
When you bring an existing domain, Inboxlee scans for conflicting SPF records before connecting any mailbox. If two are detected, the wizard refuses to proceed until they are merged.
Connect an existing domainFrequently asked
Can a domain have two SPF records?
No. RFC 7208 is unambiguous: a domain may have at most one SPF record. If two exist, the receiving server treats SPF as PermError - the same outcome as if no SPF existed at all. PermError tanks DMARC alignment and most modern receivers treat it as a strong negative signal.
How do I merge two SPF records into one?
Combine all sending sources into a single record using includes, like v=spf1 include:_spf.google.com include:sendgrid.net include:mailgun.org ~all. Delete the duplicate records from DNS. Keep total DNS lookups under 10 (the SPF spec maximum) - use ip4: and ip6: directly when possible.
Why does SPF silently break instead of failing loudly?
Because the email "goes through" at SMTP regardless. The receiving server accepts the message and then quietly flags it as PermError during DMARC evaluation. Your dashboard shows green; your inbox-placement chart shows decline. The only way to see SPF PermError is to read your DMARC aggregate reports.
How does Inboxlee handle existing SPF conflicts?
When you bring an existing domain, Inboxlee scans for conflicting SPF records before connecting any mailbox. If two or more SPF TXT records are detected, the wizard refuses to proceed and shows you which records to merge. No mailbox gets provisioned on a broken-SPF domain.