How to Create One SPF Record for Multiple Email Providers
Learn how to combine multiple email providers into a single SPF record without hitting the 10 DNS lookup limit. Step-by-step guide with real examples.
Most businesses don't send email from just one place. You have Google Workspace for team email, SendGrid for transactional messages, Mailchimp for marketing campaigns -- and maybe a helpdesk tool on top of that. Each one needs to be authorized in your SPF record, and they all have to fit inside a single TXT record without exceeding the 10 DNS lookup limit.
This guide walks you through the practical process of combining multiple email service providers into one clean SPF record. If you're wondering why you can only have one SPF record, read our guide on multiple SPF records. This article focuses on the how -- specifically, how to manage many providers without breaking things.
The One-Record Rule
Per RFC 7208, SPF only allows one TXT record per domain. If a receiving mail server finds two records starting with v=spf1, both fail with a permerror. That means you can't create separate SPF records for each provider. Everything goes into a single record using include mechanisms.
A combined record looks like this:
v=spf1 include:_spf.google.com include:sendgrid.net include:spf.mandrillapp.com -all
Each include tells receiving servers to check that provider's SPF record for authorized IP addresses. The -all at the end says "reject anything not covered by these includes."
How Many DNS Lookups Each Provider Costs
Every include mechanism triggers at least one DNS lookup, and many providers have nested includes that count against your 10-lookup limit too. Here's what common providers actually cost:
| Provider | Include Value | Est. DNS Lookups |
|---|---|---|
| Google Workspace | include:_spf.google.com | 3-4 |
| Microsoft 365 | include:spf.protection.outlook.com | 2-3 |
| SendGrid | include:sendgrid.net | 1-2 |
| Mailchimp (Mandrill) | include:spf.mandrillapp.com | 1-2 |
| Amazon SES | include:amazonses.com | 1 |
| Postmark | include:spf.mtasv.net | 1 |
| Mailgun | include:mailgun.org | 1-2 |
| Klaviyo | include:spf.klaviyo.com | 1-2 |
| Zendesk | include:mail.zendesk.com | 1-2 |
| HubSpot | include:spf.hubspot.com | 1 |
Google Workspace alone uses 3-4 lookups because _spf.google.com contains nested includes for multiple Google IP ranges. Pairing Google with Microsoft can consume 6-7 of your 10 lookups before you've added a single marketing or transactional tool.
Step-by-Step: Combining Multiple Providers
List every service that sends email from your domain
Go through your organization and identify every tool, platform, or server that sends email using your domain. Don't forget support desks, CRM tools, invoicing software, and automated notifications. Each one needs to be in your SPF record.
Find the SPF include for each provider
Check each provider's documentation for their recommended SPF include. Or use the free SPF record generator -- select your providers from the list and it builds the correct record automatically.
Count your total DNS lookups
Add up the estimated lookups from the table above. If you're at or below 10, you can combine everything into one record. If you're over, you need a strategy (covered in the next section).
Build your combined SPF record
Start with v=spf1, add each provider's include mechanism, and end with -all. Make sure you have exactly one record -- not separate records for each provider.
Publish and verify
Update your DNS TXT record with the combined value. After propagation, use SPF Record Check to verify the record is valid and count your actual lookups.
Real-World Combination Examples
Here are common multi-provider setups with their estimated lookup counts:
Small business (3 providers, ~6 lookups):
v=spf1 include:_spf.google.com include:spf.mandrillapp.com include:spf.mtasv.net -all
Google Workspace for team email, Mailchimp for marketing, Postmark for transactional.
Mid-size company (4 providers, ~8 lookups):
v=spf1 include:_spf.google.com include:sendgrid.net include:spf.mandrillapp.com include:mail.zendesk.com -all
Google Workspace, SendGrid for transactional, Mailchimp for marketing, Zendesk for support.
Enterprise stack (pushing the limit, ~9-10 lookups):
v=spf1 include:spf.protection.outlook.com include:sendgrid.net include:spf.mandrillapp.com include:spf.hubspot.com include:mail.zendesk.com -all
Microsoft 365, SendGrid, Mailchimp, HubSpot, and Zendesk. This is right at the edge of the 10-lookup limit.
What to Do When You're Over 10 Lookups
If your combined providers exceed 10 DNS lookups, you have several options:
Use subdomains for different email streams. Move marketing email to marketing.yourdomain.com and transactional email to mail.yourdomain.com. Each subdomain gets its own SPF record with its own 10-lookup budget. This is the cleanest solution and the one most email experts recommend. See our guide on SPF records for subdomains.
Replace includes with direct IP addresses. If a provider sends from a small, stable set of IP addresses, you can use ip4 mechanisms instead of include. IP mechanisms don't count toward the lookup limit. The downside is that if the provider changes their IPs, your record breaks silently.
Consider SPF flattening. Flattening resolves all includes into their underlying IP addresses. It eliminates lookups entirely but requires regular maintenance since provider IPs change. Read our SPF flattening guide to understand the trade-offs.
Remove providers you no longer use. It's common to find includes for services you cancelled months ago. Audit your record and strip out anything that's no longer actively sending email from your domain.
The subdomain approach is the most future-proof strategy. It gives each email stream its own SPF record, makes troubleshooting easier, and avoids the maintenance headaches of flattening.
Complement SPF With DKIM and DMARC
SPF tells receiving servers which providers can send on your behalf, but it's only one piece of email authentication. Google's sender guidelines require SPF, DKIM, and DMARC for bulk senders. Set up DKIM to cryptographically sign your messages and DMARC to tell receivers what to do when authentication fails. Together, the three protocols provide comprehensive protection against email spoofing.
Keep Your Record Maintained
Your SPF record isn't a set-it-and-forget-it configuration. Every time you add or remove an email provider, your SPF record needs to be updated. Set a quarterly reminder to audit your record -- check that every include is still needed and that your lookup count hasn't crept over the limit. Use SPF Record Check to verify your record stays healthy over time.
Related Articles
Never miss an SPF issue
Monitor your SPF, DKIM, DMARC and MX records daily. Get alerts when something breaks.
Start Monitoring