When it comes to setting up SPF records for your domain, a question often arises about handling multiple records being in place simultaneously. In this post, we aim to clear any confusion related to this aspect.
If two separate SPF records are set up in a domain, one for Google and one for Customer.io, you may be uncertain whether it's necessary to unify them into a single SPF record.
It is totally a valid concern as the SPF specifications do state that SPF is only valid if there is a single record per domain and that the record has less than 10 lookups. This is absolutely true, however we can clarify further that by "per domain", the specification is referring to the root domain and individual subdomains as separate entities.
So with that, by storing the Customer.io SPF record in a subdomain, you have a valid SPF record that is not interfering or conflicting with the existing SPF record in your domain root. These are seen as separate entities from the perspective of SPF, and the lookup count only applies to how many lookups you have in a single given record.
This article here from DMARCLY is a great resource that highlights what I've mentioned here, but presents in from the perspective of how a specific department of a company may use a subdomain to authenticate just the email services they need, while other departments may have their own subdomain for their email based tools. As long as each subdomain is meeting the SPF requirements of not having more than one record present at that subdomain, and not exceeding 10 lookups, then the record is valid.