Avoid The 10-DNS-Lookup Limit: Everything
You Need To Know About SPF Flattening


Email authentication plays a crucial role in combating spam and phishing threats. One of the most commonly used protocols for this purpose is the Sender Policy Framework (SPF), which verifies the legitimacy of email senders by specifying authorized IP addresses within a domain's DNS records. Nevertheless, SPF has a significant drawback: it is restricted to 10 DNS lookups. This is where the process of SPF flattening becomes important.

In this article, we will discuss what SPF flattening entails, the significance of the 10-DNS-lookup restriction, methods to effectively flatten your SPF records, and recommended practices to ensure the security of your domain while maintaining smooth email communication.


What Is the SPF 10-DNS-Lookup Limit?


The Purpose of the SPF Lookup Limit

The SPF system enables domain administrators to specify which IP addresses or other domains (through mechanisms like include, a, mx, ptr, etc.) are permitted to send emails on their behalf. Many of these methods necessitate a DNS lookup to convert them into an IP address. To reduce the risk of misuse and lessen the load on DNS servers, the SPF evaluation is capped at a maximum of 10 DNS lookups.

As a result, if your SPF record leads to more than 10 DNS queries, it triggers a "PermError" (permanent error), causing the SPF check to fail and potentially directing legitimate emails to the spam folder.



spf-flattening



How Lookups Add Up

Here's how the accumulation of DNS lookups works:

  • Every included entry counts as a single lookup. 

  • Each mechanism, like a, mx, or ptr, can lead to one or several lookups. 

  • Redirects also initiate additional lookups

  • Furthermore, if includes are nested (for example, an include within another include), the total count increases significantly.

What Is SPF Flattening?


Definition and Purpose

SPF flattening involves substituting the include mechanisms in your SPF record with their corresponding resolved IP addresses. This means that, rather than requiring DNS to perform lookups for those includes each time an SPF check is conducted, the flattened record directly incorporates all the necessary IP addresses, thus reducing the number of DNS queries needed.


Benefits of SPF Flattening

  • Overcomes the limitation of 10 DNS lookups by translating indirect references into direct IP addresses. 

  • Enhances the reliability of SPF, preventing validation failures caused by excessive lookups.

  • Accelerates SPF assessment, as no further DNS resolutions are required when messages are received. Explore further information at www.autospf.com

How to Flatten Your SPF Record


Manual SPF Flattening

You have the option to individually trace each include mechanism to its respective IP addresses and update your SPF record accordingly. Nevertheless, this method is:

  • Tedious

  • Prone to mistakes

  • Unsustainable, since external services frequently alter their sending IPs unexpectedly.

Using SPF Flattening Tools

An alternative approach is to utilize automated tools for SPF flattening, which offer a more streamlined process. These tools perform the following functions:

  • Analyze your current SPF record

  • Resolve any includes and lookups

  • Create a flattened SPF record that lists direct IP addresses

  • Optionally update the record automatically if upstream IP addresses change

Some well-known SPF flattening services are:

  • EasyDMARC

  • MXToolbox

  • PowerSPF from dmarcian

  • SPF-Record by Postmark

Many of these services also provide dynamic SPF flattening, which automates the resolution of IPs and periodically updates the DNS record to ensure compliance.



spf-flattening-1-



Best Practices for SPF Flattening


Combine Flattening with DMARC and DKIM

While SPF flattening can alleviate problems related to DNS lookups, it shouldn't be your sole protective measure. For comprehensive email authentication and to guard against spoofing, it's essential to pair it with DMARC and DKIM protocols. These technologies collaborate to confirm the sender's identity and enhance your domain's standing.


Monitor Changes in Third-Party Services

Email service providers often modify their IP ranges without prior notice, potentially disrupting static flattened SPF records. If these changes are not accounted for, it can result in problems with email delivery and cause SPF failures. To avoid this, make it a habit to regularly check the IP lists provided by your providers or utilize dynamic flattening tools.


Keep the SPF Record Under 255 Characters Per String

Although DNS records can handle larger amounts of data, each TXT entry in an SPF record is limited to a maximum of 255 characters. Surpassing this limit may lead to parsing issues in certain email systems, which could trigger SPF failures. To ensure compatibility with various DNS resolvers, split lengthy records into several shorter strings.