Multiple SPF include mechanism cause permerror

faker asked:

I’m currently using 2 providers to send e-Mails and one host which directly sends e-Mails.
Personal mails are sent via Google and application generated via a bulk e-mail provider.
Both are sent from the same domain (example.com).

Google specifies to use this record (“Create SPF records”):
v=spf1 include:_spf.google.com ~all

The other provider specifies:
v=spf1 include:spf.provider.com ?all

I created the following TXT record (ip4 value changed):
v=spf1 ip4:127.0.0.1 include:_spf.google.com include:spf.provider.com ?all

I have tested this by sending mails via both providers to a Googlemail address and it passes.
However the check-auth@verifier.port25.com service of port25.com reports (again hostnames/IPs changed):

Result:         permerror (multiple SPF records)  
ID(s) verified: smtp.mailfrom=faker@example.com  
 DNS record(s):  
    example.com. SPF (no records)  
    example.com. 3600 IN TXT "v=spf1 ip4:127.0.0.1 include:_spf.google.com include:spf.provider.com ?all"  
     example.com. 3600 IN TXT "google-site-verification=$hash$"  
     _spf.google.com. SPF (no records)  
     _spf.google.com. 300 IN TXT "v=spf1 ip4:216.239.32.0/19 ip4:64.233.160.0/19 ip4:66.249.80.0/20 ip4:72.14.192.0/18 ip4:209.85.128.0/17 ip4:66.102.0.0/20 ip4:74.125.0.0/16 ip4:64.18.0.0/20 ip4:207.126.144.0/20 ip4:173.194.0.0/16 ?all"  
     spf.provider.com. SPF (no records)  
     spf.provider.com. 3600 IN TXT "v=spf1 ip4:127.0.0.2 ~all"  
     spf.provider.com. 3600 IN TXT "v=spf1 ip4:127.0.0.2 ~all"  

Is this verifier correct with its conclusion?

My answer:


It’s hard to be sure, since you obscured the relevant details, but it appears that one of your providers has two SPF records in their DNS, which is not allowed.

You can validate your SPF records with the SPF Parser tool.


View the full question and answer on Server Fault.

Creative Commons License
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.