SPF Flattening
Fix the 10-lookup Limit Automatically
Resolve your complex SPF record to a single include. Automatically updated whenever your email vendors change their IPs. Zero-touch approach. No DNS editing. No maintenance.
What is SPF Flattening?
SPF flattening is the process of converting a complex SPF record (one that contains multiple include:, a, mx, or redirect= mechanisms) into a simplified version that lists the resolved IP addresses directly. Instead of telling receiving mail servers to go look up which IPs each of your email vendors uses, a flattened record pre-resolves all of that and writes the answer straight into your DNS.
How the 10 DNS Lookup Limit Works
Every time a receiving mail server evaluates your SPF record, it follows each include:, a, or mx mechanism to find the authorized IPs. Under RFC 7208 (the formal SPF specification), this chain of resolution is capped at 10 DNS lookups. Exceed that cap, and SPF returns a PermError (permanent error), which typically causes your legitimate emails to fail authentication and land in spam or get rejected outright.
What Happens When You Exceed It (PermError)
When your record needs more than 10 lookups to resolve fully, mail servers stop evaluating at the 10th lookup, so any senders listed after that point are simply not checked. SPF returns PermError, and depending on your DMARC policy, emails from those unchecked senders may be quarantined or rejected. The failure is usually silent: you don’t get a bounce. Your emails just stop arriving.
Service
SPF mechanism
Lookups
Microsoft 365
include:spf.protection.outlook.com1 (+3 nested)
Google Workspace
include:_spf.google.com1 (+3 nested)
Mailchimp / Mandrill
include:spf.mandrillapp.com1 (+1 nested)
Salesforce
include:_spf.salesforce.com1 (+1 nested)
SendGrid
include:sendgrid.net1 (+1 nested)
Zendesk
include:mail.zendesk.com1
Total
—
~11 — over the limit ×
The Core Problem with Static SPF Flattening
Flattening resolves all those include: mechanisms into their underlying IP addresses and writes them directly into your record. In theory, this eliminates the nested lookups entirely. In practice, a statically flattened record has a predictable lifespan: the moment any of your email vendors changes their IP ranges, your flattened record is wrong.
Google, Microsoft, Mailchimp, and SendGrid all update their sending infrastructure without notifying the domain owners who rely on it.
Record length limits
DNS TXT records have practical size limits (255 bytes per string). A fully expanded record with many IP ranges can exceed them, causing its own validation failures.
Ongoing maintenance burden
Every time you add a new email service, you re-flatten. Every time you remove one, you re-flatten. This becomes unsustainable as infrastructure grows.
Silent IP changes
No notification mechanism exists in the SPF standard. When a vendor moves IPs, you only find out when deliverability has already dropped.
How Our Automatic SPF Flattening Works
PowerDMARC’s SPF flattening tool is a part of the PowerSPF hosted SPF service, and handles the full process automatically, keeping your record current as your email infrastructure changes.
1
Add your domain
Sign up and add your domain. PowerDMARC auto-detects your current SPF record instantly with no manual input needed.
2
Analyze your lookups
See exactly how many DNS lookups your record uses, which services contribute the most, and whether you're at risk of PermError.
3
Flatten with one click
All include mechanisms resolve to their current IPs and compress into a single optimized include. Your count drops to 1.
4
Deploy and stay updated
Publish the new record. PowerDMARC monitors your vendors and auto-reflattens when IPs change, so it never goes stale.
Manual Flattening Vs. Automated SPF Flattening
Manual Flattening
Operational bottlenecks and hidden friction built on manual tracking.
Lookup limits exceeded frequently
Adding third-party services manually quickly pushes your DNS past the 10-lookup limit, breaking email delivery without warning.
Silent SPF failures
When vendors update their underlying IP addresses, your static manual record falls out of date silently until you notice broken delivery.
Unbounded character growth
Manually expanding sub-records causes strings to balloon rapidly, easily exceeding the strict 255-character limits for individual DNS strings.
Prone to human error
Typing typos, formatting syntax incorrectly, or miscopying long blocks of IP ranges introduces critical security and deliverability failures.
Hard to maintain and monitor
Requires continuous manual audits, spreadsheet monitoring, and developer time just to keep tracking standard business applications.
VS
PowerDMARC’s Dynamic SPF Flattening
Automated, efficient security infrastructure inside your native environment.
Stays within limits automatically
Advanced dynamic mapping automatically condenses numerous lookups safely below the 10-lookup protocol max threshold limit.
Auto-reflattens when IPs change
Background automated checking scripts detect system vendor changes instantly, auto-refreshing network updates seamlessly inside minutes.
Compressed to the minimum size
Intelligent algorithmic text block wrapping strips redundant syntax spaces, compressing records to minimize character footpaths.
Fully automated, no manual edits
Eliminates risky custom manual structural operations, leaving software rules to systematically oversee your platform configurations error-free.
Configured once, active forever
Deploy one permanent static engine configuration handle and protect long-term digital domain authentication parameters continuously.
SPF Flattening Risks and Best Practices
SPF flattening is a legitimate technique, but it carries risks worth understanding before you rely on it, especially if you plan to maintain the record manually.
Risks to know before you start
IP address changes — Major providers regularly change outbound IP ranges; when they do, mail from the new IPs fails SPF immediately, and you only know when deliverability drops.
Record bloat & DNS limits — A flattened record for an org with many services can expand to hundreds of IP entries, pushing past practical size limits, causing Permerror.
Maintenance burden — A manual record isn't a one-time fix. Add a service, remove one, or have a vendor update infrastructure, and you re-flatten and re-publish.
Best practices
Authorize only active, legitimate senders — Before flattening, audit your record and remove includes for services you no longer use. Every unnecessary entry adds to your lookup count and attack surface.
Monitor SPF pass/fail rates in DMARC reports — Aggregate reports show exactly which sources pass and fail. Unexplained failures after flattening usually point to a stale IP range.
Use SPF alongside DKIM and DMARC — SPF alone doesn't stop spoofing. Proper authentication needs all three: SPF and DKIM for alignment, DMARC to define what happens when they fail.
Re-validate after any infrastructure change — Whenever you add or remove an email service, check your record with an SPF checker before assuming it's still valid.
Trusted by Thousands Worldwide
Jennifer Heisel
Systems Administrator
“PowerDMARC eliminates the SPF lookup limit on our domains with the hosted SPF; we only need to publish 1 SPF record to our DNS.”
David Spigelman
President
“PowerDMARC helps a lot with SPF errors, in particular, by making it easy to do “SPF Folding,” which is often needed for customers who need more SPF includes than are otherwise technically allowed.”
Dylan Bouterse
Technology Security Consultant
“With SPF flattening, we were able to easily expand the SPF includes to inspect the specifics of the record.”
Frequently Asked Questions
What happens if my SPF record exceeds 10 lookups?
Mailbox providers have a hard time checking your SPF after the 10th lookup, so if your SPF record exceeds the limit, it usually ends with a PermError, and your legitimate emails may start getting rejected or sent to spam.
Does SPF flattening increase security?
Flattening doesn’t make SPF more secure; it just helps you stay within the 10-lookup limit, enhancing the accuracy of your SPF setup. Real protection still comes from SPF + DKIM + DMARC working together.
Should I flatten records provided by Google/Microsoft?
Major email providers like Google and Microsoft update their IPs often, so a manually flattened record can go stale quickly unless you keep refreshing it. A dynamic solution like PowerDMARC resolves this issue.
How do I know when to re-flatten?
With manual flattening, any time you add or remove a mail service, or when your provider updates their IP ranges, is a good time to re-flatten your record. If you see sudden SPF failures in reports, that’s another sign it’s time. With our SPF flattening tool, this is automatic and hassle-free.
Is flattening still recommended in 2026?
Traditional Flattening is still useful in certain cases, but not the long-term answer. With vendors changing IPs more frequently and automation becoming the norm, dynamic SPF solutions like PowerSPF are quickly becoming the more reliable approach.
What is the difference between SPF flattening and SPF macros?
SPF flattening resolves all your include: mechanisms into direct IP addresses and writes them into your record. It reduces lookups but produces a static snapshot that needs updating whenever vendor IPs change. SPF macros use dynamic variables that resolve at evaluation time, so the record never needs updating, even when vendor infrastructure changes. Macros are technically superior but require a hosted SPF service to implement correctly. For most organizations, automated flattening is sufficient; for enterprise environments with complex multi-domain setups, macros are the more durable long-term solution.
Can I have two SPF records on the same domain?
No. RFC 7208 explicitly prohibits multiple SPF records on the same domain. If a receiving server finds more than one SPF TXT record, it returns a PermError, and both records are ignored. You must have exactly one SPF record properly configured and within the 10-lookup limit.
Ready to Fix Your SPF Record?
SPF flattening doesn’t have to be a recurring problem. Our tool makes it effortless!
