What is SPF flattening and why doesn’t it work?

One of the biggest challenges organizations face in getting email authentication to DMARC enforcement involves Sender Policy Framework (SPF).

Here’s why: If you can’t identify all the senders who should be able to send email messages using your domain, and then use SPF to authorize them, you can’t move your DMARC policy to p=quarantine or p=reject.

Moving to enforcement without authorizing every service you actually use means that a few legitimate senders will be blocked. Due to limitations within the SPF standard, solving this problem takes a lot of ingenuity.

When a domain name is listed in an SPF record, that tells receiving mail servers to go to the indicated address, where they will find additional rules: IP addresses, SPF macros, or additional domain names where more rules can be found.

For most services that send email on your behalf, you need to put something in SPF to specifically allow list that sender: Either its IP address(es) or an SPF “include” mechanism that indicates where receiving mail servers can find the appropriate rulesets.

SPF lets you put a large number of IP addresses in your SPF record, but it limits the number of domain lookups that receivers will do to just 10. That count includes domains explicitly listed in your SPF record and any domain lookups contained within the listed domains.

Many organizations turn to a quick-and-simple solution (SPF flattening), but it’s not as comprehensive or foolproof as it seems. Below, we’ll walk you through what SPF is, why SPF flattening doesn’t work, and a better (more reliable) solution you can trust.

What is SPF flattening?

SPF flattening is a technique that attempts to solve the SPF 10-lookup limit by manually expanding all the included domains in your SPF record into their component IP addresses.

Instead of using multiple “include:” statements that point to other domains (each counting as a lookup), you replace them with the actual IP addresses those domains authorize. The goal is to transform a nested, hierarchical SPF record into a “flat” list of IP addresses.

For example, rather than writing:

v=spf1 include:_u.ef.com._spf.smart.ondmarc.com ~all

You’d expand each domain to list all its IPs directly:

v=spf1 ip4:52.100.0.0/14 ip4:40.92.0.0/15 ip4:13.111.0.0/16
ip4:40.107.0.0/16 ip4:149.72.0.0/16 ip4:104.47.0.0/17 ip4:167.89.0.0/17
ip4:168.245.0.0/17 ip4:54.240.0.0/18 ip4:77.32.128.0/18 ip4:192.28.128.0/18
ip4:198.2.128.0/18 ip4:212.146.192.0/18 ip4:213" “.32.128.0/18
ip4:216.198.0.0/18 ip4:23.251.224.0/19 ip4:50.31.32.0/19 ip4:77.32.192.0/19
include:_p.1.1jbsg7t._u.ef.com._spf.smart.ondmarc.com ~all

In theory, this seems like a clever workaround to the 10-lookup limit. After all, listing IP addresses directly doesn’t consume any DNS lookups. But in practice, SPF flattening creates far more problems than it solves.

Most organizations attempt SPF flattening when they’ve reached the frustrating 10-lookup limit and need a quick fix. It seems straightforward at first—just replace domain references with their corresponding IP addresses. Unfortunately, this approach leads to a maintenance nightmare that gets worse over time, especially as your organization adds more cloud services.

The reality is that SPF flattening trades one problem (the lookup limit) for several bigger ones:

• Maintenance overhead
• Human error
• Reliability issues

Ultimately, these problems make SPF flattening a solution that ultimately doesn’t work.

With Valimail’s Instant SPF technology, your SPF record can look like this:

v=spf1 include:_spf.google.com -all

What is Valimail Instant SPF?

Valimail Instant SPF is the only patented, scalable, and fail-safe SPF solution that auto-generates perfectly tailored SPF records, in milliseconds, in response to each mail server request. By responding dynamically with an SPF rule set as specified by the sending service itself, Instant SPF guarantees 100% accuracy for every single email, 24/7, regardless of network changes to services or underlying email service providers.

Instant SPF eliminates the need to flatten SPF records (by listing IP addresses instead of domain names) and dynamically bypasses the SPF 10-domain lookup limit, no matter how many services are sending on your organization’s behalf.

Instant SPF works in conjunction with Valimail Helios™, which actively maps thousands of third-party sending services. Simply point your SPF record to Valimail, designate the services you want to authorize by selecting them from a list, and you can be certain that your SPF authentication will work seamlessly.

Why doesn’t SPF flattening work?

SPF flattening lets you do the lookups yourself, by hand, if necessary. Eventually, each of those lookups will (usually) lead you to a list of authorized IP addresses that you can place into your SPF record instead of referencing one or more domains for each service.

Sounds simple, right? Here’s where things can go badly wrong, though:

• Editing: Service providers frequently add and remove IP addresses from the list of sending IPs for their service.
• Errors: It’s easy to make errors (either in the IPs themselves or in the SPF syntax) when you’re building these long lists.  Are you sure you got that IPv6 address right?
• Multiple SPF records: Transforming that list of IP addresses and netblocks into an SPF record may require you to split it into multiple SPF records, linking them together…and possibly running into that 10-domain lookup limit all over again.
• IP address changes: Cloud service providers generally don’t notify their customers when they change the list of IP addresses from which they send email, so you’re going to have to track those changes yourself.

That means, if you’re the owner of a “flattened” SPF record, you now have the unenviable job of monitoring all the services in use, making sure that the list of IPs for each is still current, and that the overall list is complete.

And you did take notes when you were assembling the list, so you can tell which IP belongs to which service, right? Because you (or future IT admins) won’t be able to tell which is which just by looking at a long list of IPs.

Finally, humans tend to be really bad at managing lists of digits. Typos, transpositions, dropped periods, and other kinds of errors pop up all the same. For this reason, SPF flattening is fragile, brittle, error-prone, and winds up creating a significant maintenance overhead.

If you’re unsure of whether you’re flattening your SPF record or exceeding the lookup limit, use our free SPF record checker:

How to avoid too many DNS lookups

Instead of manually expanding SPF records and constantly monitoring for IP changes, automated SPF technology dynamically manages your SPF record in real-time. Here’s how it works:

1. Dynamic SPF Records: A specialized service hosts a DNS record that responds to SPF queries in real-time, calculating the authorized senders on demand.
2. Unlimited Service Integration: You can authorize as many cloud services as needed without worrying about the 10-lookup limit.
3. Real-Time IP Updates: The system automatically tracks IP address changes from all your service providers, eliminating manual maintenance.
4. Zero Maintenance: Once set up, the system works continuously without requiring constant monitoring or updates.

Automated solutions like Valimail Instant SPF® provide several advantages over manual SPF flattening:

• Set It and Forget It: No need to constantly monitor or update IP addresses.
• Future-Proof: Works with any new services you add without modification.
• Error-Free: Eliminates human error in managing complex IP lists.
• Standards Compliant: Fully compatible with the SPF specification and supported by all major mail providers.
• Scales with Your Business: No matter how many services you add, the system handles them automatically.

The alternative to SPF flattening: Valimail Instant SPF

Valimail’s patented SPF solution, Valimail Instant SPF®, solves the SPF 10-lookup limit without recourse to SPF flattening. Valimail Enforce includes the company’s unique, patented Instant SPF technology.

Valimail Instant SPF is the only automated SPF technology on the market. Built on Valimail’s global, cloud-based infrastructure, it generates a tailored SPF record in milliseconds in response to each mail server request.

It’s scalable, fail-safe, and serves SPF records. Our approach is completely compliant with the SPF standard and is supported by every receiver that complies with the SPF specification, including all major ISPs and SEGs.

“As a CTO, my team and I were spending too much time troubleshooting DMARC issues, managing complex SPF records, and ensuring our email security policies didn’t disrupt legitimate business communication. Valimail’s DMARC solution completely changed that. Their automated solution platform did the heavy lifting, eliminating SPF flattening issues, streamlining DKIM authentication, and providing real-time visibility into our email ecosystem.”

– Nicholas Costa, CTO at SoaringTowers

Instant SPF is just one feature you’ll have access to with Valimail Enforce. Our product will help you get to DMARC enforcement quickly and stay at continuous enforcement.

Frequently asked questions about SPF flattening