diff --git a/basic_setup/cloudflareMigrationDns.sh b/basic_setup/cloudflareMigrationDns.sh
index a5fb926..2920d7c 100755
--- a/basic_setup/cloudflareMigrationDns.sh
+++ b/basic_setup/cloudflareMigrationDns.sh
@@ -81,8 +81,23 @@ ensure_record() {
     local search_res=$(curl -s -X GET "https://api.cloudflare.com/client/v4/zones/$ZONE_ID/dns_records?type=$type&name=$name" \
         -H "Authorization: Bearer $CF_API_TOKEN" -H "Content-Type: application/json")
     
-    local rec_id=$(echo "$search_res" | jq -r '.result[0].id')
-    local rec_content=$(echo "$search_res" | jq -r '.result[0].content')
+    local rec_id
+    local rec_content
+
+    if [ "$type" == "TXT" ] && [ "$name" == "$DOMAIN_NAME" ] && [[ "$content" == v=spf1* ]]; then
+        # Spezialfall Root-Domain SPF: Filtere gezielt den SPF-Eintrag heraus,
+        # damit z.B. Google Site Verification nicht überschrieben wird.
+        rec_id=$(echo "$search_res" | jq -r '.result[] | select(.content | contains("v=spf1")) | .id' | head -n 1)
+        rec_content=$(echo "$search_res" | jq -r '.result[] | select(.content | contains("v=spf1")) | .content' | head -n 1)
+    else
+        # Standardverhalten für alle anderen (A, CNAME, MX, etc.)
+        rec_id=$(echo "$search_res" | jq -r '.result[0].id')
+        rec_content=$(echo "$search_res" | jq -r '.result[0].content')
+    fi
+
+    # Fallback für jq, damit das restliche Skript funktioniert
+    [ -z "$rec_id" ] && rec_id="null"
+    [ -z "$rec_content" ] && rec_content="null"
 
     if [ "$type" == "MX" ]; then
         json_data=$(jq -n --arg t "$type" --arg n "$name" --arg c "$content" --argjson p "$proxied" --argjson prio "$priority" \