SPF record:
How many SPF records can be added for a single domain?
You can add one SPF record for your domain. You should not have multiple SPF records for a domain. If you do, SPF will encounter an error known as PermError.
An SPF record is like a special message for email servers, telling them which domain or subdomain is allowed to send emails on your behalf. The record must start with "v=spf1;" so that email servers can recognize it as your SPF record.
When an SPF check is performed on a domain, it looks for all TXT records that begin with "v=spf1":
-> If it finds no such record, it returns (None).
-> If there are multiple records with this prefix, it will result in an error (PermError).
Having multiple TXT DNS entries that start with "v=spf1" will cause email servers to stop the SPF check process. As a result, SPF authentication will fail, and no servers will be authorized to send emails on behalf of your domain. Consequently, your messages will be rejected, leading to confusion while troubleshooting.
For instance, if there are 2 TXT records for yourdomain.com:
| Record Type | Name | Value | TTL |
| TXT | yourdomain.com | v=spf1 include:_spf.google.com -all | Default |
| TXT | yourdomain.com | v=spf1 include:servers.mcsv.net -all | Default |
Emails sent on behalf of yourdomain.com will not pass SPF authentication; they will fail with PermError.
Solution:
To fix this issue, you should create one SPF record that includes all the legitimate IP addresses, as shown below:
Record Type: TXT
Name: yourdomain.com
Value: v=spf1 include:_spf.google.com include:servers.mcsv.net -all
TTL: Default
For SPF authentication to succeed, these conditions must be met:
1. Your domain should have only one SPF record.
2. The syntax of the SPF record must be correct.
3. The total number of DNS lookups should not exceed 10. If it does, consider using Safe SPF to resolve the problem.
Why you should avoid having multiple SPF records:
-> Multiple SPF records are not supported by the framework. If you have multiple records, none of them will work, and your emails may get rejected by mail servers.
-> Detecting multiple SPF records can be challenging since there are no automatic alerts. Email delivery will silently fail on the recipient server.
-> Each SPF record may appear valid on its own, which can mislead inexperienced administrators. However, multiple SPF records are not supported, and using them can cause issues, as there are no restrictions within DNS to prevent their usage.
DKIM record:
How many DKIM records can be added for a single domain?
You are allowed to have multiple DKIM records on your domain. Unlike DMARC or SPF, there is no fixed limit to the number of DKIM records you can configure for a domain as long as your DNS host permits it.
DKIM stands for DomainKeys Identified Mail, and it's a method to verify the authenticity of emails. It uses a digital signature to show that the email was sent and authorized by the domain owner.
To use DKIM, you create a DKIM record in your DNS, which contains a public key. This key is used by receiving mail servers to authenticate the DKIM signature of your emails.
Since spoofing emails from trusted domains is a growing cyber threat, it's essential to implement DKIM. Adding a DKIM record to your DNS is recommended as it helps authenticate emails from your domain.
There are some common reasons for setting up multiple DKIM records:
-> If you use multiple third-party email vendors for your communications, you'll need separate selectors and public-private key pairs for each vendor to activate DKIM authentication.
-> For added security, it's a good practice to rotate your DKIM keys periodically. This means changing or updating your keys from time to time, which is recommended by security experts.
How does DKIM work?
There are three main steps in the DKIM signing process:
1. The sender selects the fields they want to include in the DKIM record signature, such as the "from" address, the body, the subject, and others. These fields must remain unchanged during transit for successful DKIM authentication.
2. The sender's email platform creates a hash (a unique string of characters) from the selected text fields and encrypts it with a private key that only the sender can access.
3. When the email is sent, the recipient's email gateway or mailbox provider validates the DKIM signature by decrypting it with the corresponding public key. It then generates its own hash of the email's fields and compares it with the decrypted hash. If they match, it confirms that the email was not altered during transit and that the sender truly owns the email.
That's all.