How To Use SPF Flattening To
Stay Within Lookup Limits


In the realm of email security, SPF (Sender Policy Framework) serves as a critical protocol designed to shield your domain from impersonation and phishing threats. Nevertheless, SPF has a significant constraint: it permits only 10 DNS lookups per SPF query. Surpassing this limit can lead to failures in your SPF configuration, putting your genuine emails at risk of being classified as spam or outright rejected. 

This is where the concept of SPF flattening proves beneficial. By minimizing or removing the necessity for multiple DNS lookups, SPF flattening allows you to adhere to these stringent limits and ensures that your emails continue to be delivered successfully.


Understanding SPF Records and the Lookup Limit


What is an SPF Record?

An SPF record is a specific kind of DNS TXT record that enumerates the servers permitted to send emails to your domain. Upon receiving an email, the mail server of the recipient consults the SPF record associated with the sender's domain to confirm whether the sending IP address is authorized.

For example, a standard SPF record could appear as follows:

v=spf1 include:_spf.google.com include:sendgrid.net ~all

Each statement that includes mechanisms like 'a', 'mx', 'ptr', or 'exists' can initiate a DNS query.



spf-flattening-1



The 10-Lookup Limit

SPF permits a maximum of 10 DNS lookups for each SPF evaluation. Surpassing this limit, even by a single lookup, results in a "permerror" (permanent error). Consequently, your emails could be denied or marked as potentially harmful, regardless of whether all other configurations are accurate.

The lookup total comprises:

  • Every include: directive

  • Each a, mx, ptr, or exists mechanism

  • Any additional lookups from external services such as Google, Mailchimp, or SendGrid

To prevent this issue, it’s essential to develop a plan for streamlining your SPF record. For additional details, visit here.


What Is SPF Flattening?


How SPF Flattening Works

SPF flattening is the process of converting all domains listed in your include directives into their corresponding IP addresses, which are then directly incorporated into your SPF record.

For instance, rather than using:

v=spf1 include:_spf.google.com include:sendgrid.net ~all

You would modify it to something like:

v=spf1 ip4:64.233.160.0/19 ip4:198.21.0.0/16 ~all

This approach significantly minimizes or completely removes the necessity for DNS lookups, as IP addresses do not need further queries.


Manual vs. Automated Flattening

Manual SPF flattening can be accomplished with command-line utilities such as dig or through online DNS lookup services, allowing you to translate includes into IP addresses. However, due to the frequent changes in IP ranges by cloud email providers, this manual approach can quickly become obsolete.

To address this issue, automated SPF flattening tools like EasyDMARC, Dmarcian, or PowerSPF provide dynamic solutions that continuously track changes and automatically refresh the flattened records as needed.


Best Practices for Using SPF Flattening


Use a Flattening Tool with Auto-Update Features

A significant concern associated with SPF flattening is the potential for changes in IP addresses from email service providers. A fixed SPF record may quickly become outdated, sometimes within just a few days or weeks. Opt for a flattening service that provides:

  • Automatic updates

  • Change monitoring

  • Alerts for necessary updates


spf-flattening



Keep Your SPF Record Short and Clean

Simplifying your SPF record may lead to an increase in its overall size. Keep in mind that each string in SPF records is capped at 255 characters, while the total for DNS responses is limited to 512 characters.

Here are some suggestions to prevent your SPF record from becoming overly lengthy:

  • Eliminate any entries that are no longer in use or are outdated.

  • Utilize CIDR notation to condense IP address ranges.

  • Steer clear of nested includes unless necessary.

Use Subdomain Delegation When Needed

Should you require more than 10 lookups, think about assigning the sending tasks to subdomains (such as mail.example.com or news.example.com) that have their own SPF records. This approach helps distribute the load, but it's important to implement it cautiously to prevent any misunderstandings.


Benefits of SPF Flattening


  • Enhanced Email Delivery: Maintaining your SPF record within the lookup limit significantly minimizes the likelihood of SPF failures. As a result, this leads to improved email delivery rates and decreases the chances of messages being marked as spam.

  • Increased Oversight and Management: Flattening your SPF record allows for complete visibility over which IP addresses are permitted. This approach streamlines the auditing process and aids in forensic investigations if any issues arise.