Introduction
One of the biggest challenges organizations face is managing multiple legitimate email vendors and maintaining a valid SPF (Sender Policy Framework) record. Large enterprises with complex email infrastructures often hit the SPF DNS lookup limit of 10, which can lead to SPF failures, negatively affecting email deliverability and domain reputation.
SPF flattening is the process of resolving and replacing the include mechanisms in SPF records with their corresponding IP addresses, thereby reducing DNS lookups. However, manually flattening an SPF record is not scalable, as vendor IPs can change frequently.
This is where tools like Aquila | SPF Flattening come into play. Aquila not only flattens SPF records but also monitors changes made by third-party email vendors and automatically updates the DNS record — without requiring manual DNS login or edits.
What is SPF?
Sender Policy Framework (SPF) is an email authentication protocol designed to prevent email spoofing. It works by publishing a TXT record in the domain's DNS, which specifies the IP addresses and domains that are authorized to send emails on behalf of that domain.
Example SPF record for domain aquilai.io:
v=spf1 include:spf.protection.outlook.com include:zoho.in include:sendgrid.net ip4:202.66.175.61 ip4:101.53.144.148 ~allIn this record, the include mechanisms authorize Microsoft (Outlook), Zoho, and SendGrid to send emails on behalf of aquilai.io. The ip4 mechanisms specify additional IP addresses that are also allowed to send emails.
This ensures that only the listed vendors and IPs are permitted to send emails using the domain. Any unauthorized sender will fail the SPF check, helping to protect against spoofing.
Understanding SPF Limitations
SPF comes with a key limitation — it allows a maximum of 10 DNS lookups. Each include, a, mx, or ptr mechanism generally counts toward this limit. If the total number of lookups exceeds 10, the SPF check will fail, potentially leading to email delivery issues, such as legitimate emails being rejected or flagged as spam.
SPF Mechanism | Counts as DNS Lookup? |
include: | Yes |
a | Yes |
mx | Yes |
ptr | Yes (and not recommended) |
ip4: / ip6: | No |
What is SPF Flattening?
SPF flattening is the process of resolving the domains specified in the include mechanisms of an SPF record to their actual IP addresses, and then listing those IPs directly within a single SPF string for the domain.
Before flattening:
v=spf1 include:vendor1.com include:vendor2.com ~all
After flattening:
v=spf1 ip4:192.0.2.1 ip4:192.0.2.2 ip4:198.51.100.1 ip4:198.51.100.2 ~all
The SPF Flattening Process
SPF flattening is a comprehensive and multi-step process. It begins by retrieving the SPF records of all domains referenced via include mechanisms. The system then identifies all DNS-based mechanisms that contribute to the SPF lookup count, resolves them to their corresponding IP addresses, and compiles these into a single list.
During this process, duplicate entries and deprecated mechanisms (such as ptr or overly nested includes) are removed to optimize the record for modern email infrastructure. The final result is a consolidated SPF record that contains only IP addresses—eliminating the need for additional DNS lookups and ensuring compliance with the SPF 10-lookup limit.
Flattening Process Steps:
Retrieve all SPF records from include mechanisms
Identify and resolve all DNS-based mechanisms
Compile IP addresses into a single list
Remove duplicate entries and deprecated mechanisms
Create a consolidated SPF record with only IP addresses
Monitor for changes in included domains' SPF records
Automatically update the flattened record when needed
Benefits of Using Aquila | SPF Flattening
Implementing SPF flattening with Aquila offers a range of benefits for organizations looking to improve email deliverability and simplify SPF record management:
Stay Within SPF Lookup Limits
Eliminate the risk of SPF failures caused by exceeding the 10 DNS lookup limit.
Improve Email Deliverability
Reduce the chances of your legitimate emails being rejected or flagged as spam due to invalid SPF records.
Automated Vendor IP Tracking
Aquila automatically monitors and updates IPs from third-party vendors like Microsoft, Zoho, SendGrid, and others—no manual tracking or intervention needed.
DNS-Free Updates
No need to log in to your DNS provider to make SPF changes. Aquila syncs updates seamlessly on your behalf.
Optimized and Clean SPF Records
Duplicate, deprecated, or unsupported mechanisms are automatically removed, ensuring a clean and compliant SPF record.
Enhanced Security and Control
Maintain full visibility over which IPs are authorized to send on your behalf with detailed logs and real-time monitoring.
Best Practices for Dynamic SPF Management
When implementing a dynamic SPF strategy with flattening tools, consider these best practices:
Regular monitoring: Even with automated solutions, regularly check your SPF record status and deliverability metrics.
Backup mechanisms: Consider implementing DKIM and DMARC alongside SPF for multi-layered email authentication.
Change management: Document all email sending services and vendors in use to ensure complete coverage in your SPF policy.
Vendor communication: Establish channels with your email vendors to be notified of IP infrastructure changes.
Testing: Before deploying changes to production, test flattened SPF records in a controlled environment.
Gradual rollout: When transitioning to flattened SPF, consider a phased approach to minimize potential disruptions.
Conclusion
SPF flattening is a crucial technique for organizations dealing with complex email infrastructures and multiple vendors. By resolving include mechanisms to their IP addresses and consolidating them into a single SPF record, businesses can overcome the 10 DNS lookup limit while maintaining robust email authentication. Tools like Aquila | SPF Flattening make this process seamless and automated, ensuring that your SPF records stay current, compliant, and effective in protecting your domain's email reputation.