![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(12.8, 15%, 11%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ETT%3C/text%3E%3C/svg%3E)
Exchange Online
A Microsoft email and calendaring hosted service.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(105.60000000000001, 69%, 20%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EHV%3C/text%3E%3C/svg%3E)
Hi @Titus Tolbert (Sr. Dev Operation, Hoka corp)
Thank you for posting your question in Microsoft Q&A.
As your description, we understand that you are considering to configure multiple DKIM/SPF records on specific domain. We are glad to assist you this part.
You can safely have multiple DKIM selectors for your domain. However, you cannot simply add a separate SPF record. Instead, you must merge Zoho's SPF details into your existing single SPF TXT record, because domains can only have one SPF TXT record (starting with "v=spf1"). Adding a second one (e.g., Zoho's "v=spf1 include:one.zoho.eu ~all") would cause SPF checks to fail with a "PermError" (permanent error), potentially leading to email rejections or spam filtering. This is a DNS standard limitation.
To merge SPF record, you could follow these suggestions:
1.Locate your current SPF TXT record in your DNS settings (likely something like "v=spf1 include:spf.protection.outlook.com -all" for Microsoft Exchange/Office 365).
2.Insert Zoho's include mechanism ("include:one.zoho.eu") right after the existing "v=spf1" and before the final mechanism (e.g., "-all" or "~all").
3.Example merged record: "v=spf1 include:spf.protection.outlook.com include:one.zoho.eu -all".
4.Use "-all" (hard fail) if your existing record does; it's stricter and better for security. Zoho suggests "~all" (soft fail), but align with your current policy to maintain consistency.
5.Update your DNS TXT record for the root domain (@yourdomain.com) with this combined version.
6.Test the updated SPF using tools like MX Toolbox or Google's SPF validator to ensure it doesn't exceed the 10 DNS lookup limit (a common issue when adding multiple "include:" statements).
Advantages:
You can reduce the chances of your mail being flagged as spam and it also prevent bad actors from spoofing your domain and sending fraudulent emails, as receiving servers can verify that the sender is legitimate.
Disadvantages:
SPF misconfiguration leading to failures: If the SPF merge is incorrect, emails could fail authentication.
Security exposure from third-party access: Including Zoho in SPF authorizes their servers to send as your domain, a compromise on Zoho's side could allow spam/phishing under your name.
We hope this information helps verify your concerns. If you have any additional concern, feel free to comment below. I be more than happy to assist.
If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.