What are the best practices for using SPF flatteners and managing SPF records?
Matthew Whittaker
Co-founder & CTO, Suped
Published 31 Jul 2025
Updated 16 Aug 2025
7 min read
Sender Policy Framework (SPF) records are a cornerstone of email authentication, designed to prevent email spoofing by verifying that incoming mail from a domain comes from an IP address authorized by that domain's administrators. However, as organizations adopt more third-party services for email, their SPF records can grow in complexity, often leading to a common issue: exceeding the 10-DNS lookup limit.
When an SPF record triggers more than 10 DNS lookups, it results in a PermError (Permanent Error). This means the recipient's mail server cannot properly validate the SPF record, potentially causing legitimate emails to be marked as spam or rejected entirely. This issue is a significant hurdle for email deliverability.
SPF flattening is a technique that aims to resolve this problem by replacing domain-based include mechanisms with the actual IP addresses they resolve to. While it can be a quick fix for the lookup limit, it also introduces its own set of challenges. Understanding when and how to use SPF flatteners, along with overall best practices for managing your SPF records, is crucial for maintaining strong email authentication and ensuring your messages reach the inbox.
SPF (Sender Policy Framework) works by allowing domain owners to publish a DNS TXT record that lists all authorized mail servers permitted to send email on behalf of their domain. When an email is received, the recipient's server checks this record. If the sending server's IP address is not listed, the email might be flagged as suspicious.
The core challenge lies in the SPF specification's limit of 10 DNS lookups for an SPF record's evaluation. Mechanisms like a, mx, ptr, exists, and include all count towards this limit. If an include mechanism refers to another domain that also has include statements (nested includes), each of those counts as well. This can quickly exhaust your lookup budget, leading to an SPF PermError. Too many DNS lookups is a common reason for deliverability issues.
This limit becomes particularly challenging for organizations using multiple third-party email services, such as marketing platforms, transactional email providers, and customer support systems. Each of these services often requires its own include statement in your SPF record, quickly pushing you over the edge. It's a common scenario that can severely impact your email's ability to land in the inbox.
Example of a complex SPF record that could exceed lookup limits
An SPF PermError (Permanent Error) occurs when the receiving mail server encounters an invalid SPF record, often due to exceeding the 10-DNS lookup limit. This is a fatal error, meaning the SPF check fails definitively, leading to increased email rejections or delivery to spam folders. Effectively, your emails may not even reach the inbox, impacting your communication and reputation. Learn more about demystifying SPF TempError.
What is SPF flattening and how does it work?
SPF flattening is the process of converting an SPF record with multiple domain-based mechanisms (like include and a) into a record that lists only IP addresses (using ip4 and ip6 mechanisms). This effectively eliminates DNS lookups for those include statements, ensuring you stay within the 10-lookup limit. You can read more about when SPF flattening is necessary.
There are two main approaches to SPF flattening: manual and automated. Manual flattening involves periodically resolving all included domains to their IP addresses and updating your SPF record directly. Automated (or dynamic) SPF flattening, on the other hand, relies on a service that continuously monitors the IP addresses of your third-party senders and automatically updates a flattened SPF record hosted on their servers. Your domain's SPF record then simply points to this dynamic service.
While SPF flattening can be an effective way to address the 10-lookup limit and prevent PermErrors, it's not without its drawbacks. Manual flattening requires constant vigilance, as IP addresses can change. Automated services solve this, but they introduce a dependency on a third-party, which could become a single point of failure if their service experiences issues. Always consider these trade-offs when deciding on your SPF strategy.
Manual SPF flattening
You manually resolve include mechanisms to IP addresses and update your DNS record.
Pros: Full control over your SPF record. No dependency on external services.
Cons: Requires constant monitoring and manual updates when third-party IPs change. High risk of SPF breaks if not diligently managed. Prone to CharacterStringTooLong errors if the record becomes too long.
Automated (Dynamic) SPF flattening
A third-party service dynamically manages and updates your flattened SPF record.
Pros: Automated updates prevent SPF breaks due to IP changes. Reduces management overhead. Ensures adherence to the 10-lookup limit.
Cons: Introduces a single point of failure (if the service goes down). Requires trusting a third-party provider. May not be ideal for organizations with DMARC policies set to p=reject.
Best practices for managing SPF records and flatteners
While SPF flattening can be a practical solution for the 10-lookup limit, it's essential to adopt a holistic approach to SPF management. Consider these best practices to maintain optimal email deliverability and security.
Minimize unnecessary include statements: Before resorting to flattening, review your current SPF record. Some email service providers (ESPs) do not require you to include their domain in your primary SPF record if they don't use custom return paths for your domain. Understand M3AAWG's best practices for managing SPF.
Use subdomains for different sending purposes: Dedicated subdomains for marketing emails, transactional emails, or internal communications allow each to have its own SPF record, effectively segmenting your lookups and keeping them under the limit. This is a robust long-term solution. Consider options for dealing with overstuffed SPF records.
Implement DMARC alongside SPF and DKIM: While SPF helps, it's most effective when combined with DKIM and DMARC. DMARC allows you to instruct recipient servers on how to handle emails that fail SPF or DKIM authentication. This provides a comprehensive email security posture. Familiarize yourself with DMARC, SPF, and DKIM essentials.
Regularly monitor and audit your SPF records: Even with flattening, IP ranges for third-party services can change. Regular monitoring ensures your record is always up to date and accurate, preventing unexpected delivery issues. Tools can help you set up SPF for Microsoft 365 and other platforms.
Key takeaway on SPF management
While SPF flattening can mitigate the 10-lookup limit, it's often a tactical workaround rather than a strategic solution. The goal should always be to optimize your SPF record by only including truly necessary domains and by leveraging subdomains for distinct sending purposes. This minimizes complexity, reduces dependency on external services, and provides a more resilient email authentication setup that benefits your overall email deliverability rates.
Careful management of your SPF record is vital for preventing email spoofing and ensuring your emails reach their intended recipients. When dealing with the 10-lookup limit, consider the long-term implications of flattening versus structural solutions like using subdomains or carefully curating your include statements. Regular auditing and monitoring will help you maintain an effective and compliant SPF setup.
Views from the trenches
Best practices
Always begin your SPF record with `v=spf1` to declare the SPF version.
List all authorized IP addresses and hostnames of your email sending systems explicitly.
Utilize subdomains for different email sending purposes (e.g., marketing, transactional) to segment SPF records.
Regularly review your SPF record to remove outdated or unnecessary entries.
Combine SPF with DKIM and DMARC for robust email authentication.
Common pitfalls
Exceeding the 10-DNS lookup limit, leading to PermError and email rejection.
Relying solely on manual SPF flattening without regular updates, causing SPF to break.
Including unnecessary third-party services that don't use custom return paths for your domain.
Using `-all` (hardfail) too aggressively without proper monitoring and DMARC in place.
Not auditing SPF records after changes to email infrastructure or third-party services.
Expert tips
Consider dynamic SPF services for complex setups to manage IPs automatically.
Be aware that `a` and `mx` mechanisms also count towards DNS lookups.
For large organizations, a phased approach to SPF optimization can minimize disruption.
If using SPF flatteners, ensure the service dynamically reloads records, not just once off.
Prioritize removing unnecessary includes before considering flattening.
Marketer view
Marketer from Email Geeks says using an automated SPF flattener proved effective and required no manual intervention, but also suggested subdomains as an alternative approach for complex setups.
Feb 9, 2022 - Email Geeks
Expert view
Expert from Email Geeks says SPF flatteners are not ideal for long-term solutions, especially with an enforcing DMARC policy, as they introduce a single point of failure.
Feb 9, 2022 - Email Geeks
Maintaining a robust email authentication setup
Effectively managing your SPF records and deciding whether to use SPF flatteners involves a careful balance of convenience, control, and security. While SPF flatteners offer a quick solution to the 10-DNS lookup limit, they come with trade-offs. The key is to understand your organization's unique email sending landscape and choose the approach that best suits your needs.
Prioritizing the optimization of your SPF record by removing redundant entries and strategically using subdomains can often negate the need for flattening. However, for complex environments with numerous third-party senders, an automated SPF flattening service can provide a necessary interim solution, provided you are aware of its implications for your email deliverability.
Ultimately, a well-configured SPF record, combined with DKIM and DMARC, is fundamental to establishing a trustworthy sending reputation and ensuring your emails reliably reach their destination. Regularly review your SPF records and adjust your strategy as your email ecosystem evolves to maintain consistent inbox placement and protect against spoofing and phishing attacks.
