top of page

What is SPF flattening?


As businesses grow and use multiple email services, they add SPF "include" entries to their DNS records for email authentication. However, this can cause the "too many DNS lookups" issue, as SPF records can only have a maximum of 10 lookups. SPF flattening simplifies the "include" entries by replacing them with "ip4" and "ip6" addresses in the TXT record.


According to RFC 7908, section 4.6.4, SPF evaluation must be limited to a maximum of 10 DNS lookups to ensure efficiency and prevent performance issues.



How SPF flattening works?

Lets consider a typical SPF record for an email domain example.com



This record uses several “include” mechanisms, each of which requires a DNS lookup to resolve. If any of these included domains have their own includes, you can quickly hit the limit of 10 lookups.


SPF flattening works by resolving all these “include” statements into their constituent IP addresses. Here’s how the flattening process works:


  • Check Record: The process checks the original SPF record to see if it contains any “include” mechanisms.

  • DNS Lookup: If it does, for each “include” mechanism, the flattening process performs a DNS lookup to find the SPF record it points to.

  • Recursive Resolution: This process repeats until all “include” statements are replaced with actual IP addresses.

  • Removing Duplicates: Once all IP addresses are collected, duplicates are removed to optimize the record.

  • Consolidating IP addresses: Where possible, individual IP addresses are consolidated into IP ranges to make the record more concise.

  • Simplifying the syntax: Removing unnecessary qualifiers (like +, -, ~, ?) to make the SPF record as clear, efficient, and easy to maintain as possible, while still accurately representing the intended email sending policy.


After flattening the result would look like this:


Benefits of SPF flattening

  • Reduced DNS Lookups: By removing the "include" mechanism from the SPF record, the recipient's check_host() function only needs to verify a single list in the DNS, rather than checking all the domains specified in the "include" mechanism.

  • Improved Delivery Time: Since the recipient's server no longer needs to examine multiple records, it can quickly check the provided list and take immediate action based on whether the IP is found in the SPF record.

  • Mitigate SPF Record Size Limitations: SPF records cannot exceed 255 characters, and complex or fragmented records can breach this limit, leading to email authentication failures and potentially giving phishers a chance to exploit trusted domains. SPF flattening helps streamline records, ensuring they remain concise and within the character limit.

  • Simplified SPF Management: SPF flattening minimizes administrative overhead and instances of errors popping due to misconfigurations, as you have to manage only a single record. Configurational problems, typos, and redundant syntaxes often induce email delivery issues.

  • Improved Email Security: By reducing the number of SPF records and DNS lookups, the attack surface for potential exploits or vulnerabilities is minimized. This reduces the likelihood of attackers manipulating SPF records to impersonate legitimate senders or launch phishing attacks.


Cons of SPF flattening:

  • Authentication failure: Email service providers frequently add or remove IP addresses to expand servers or prevent blacklisting on RBLs and DNSBLs. If the ADMD fails to update the flattened SPF record with new IP addresses, there is a high risk of legitimate emails failing authentication and being rejected by recipients.

  • Lack of Flexibility and Complex Maintenance: Using IP addresses instead of "include" mechanisms means that any changes to the IP addresses of included services require manual updates to the SPF record. This eliminates the flexibility of automatically inheriting updates and can make maintenance time-consuming and prone to errors, especially if the service provider frequently changes their IP addresses.

  • Increased Record Size: Flattening the SPF record replaces "include" mechanisms with multiple IP addresses, which can substantially enlarge the record. This may make the record more difficult to manage and, in some cases, cause it to exceed the DNS record size limit of 512 octets.

  • Potential for IP Duplication: Flattening may cause duplication of IP addresses across different services, leading to a larger and more cumbersome record. Optimizing the record to remove duplicates may not always be possible.

  • Removal of IPs from SPF Records: SPF flattening makes it challenging for the ADMD to distinguish between active and unused IP addresses provided by service providers, complicating the maintenance of the SPF record.

What is DMARC ?
How DMARC work ?
Validate Your SPF & DKIM
DMARC Policies
How to Implement DMARC Policies
How DMARC Records are Created?
Why Yahoo & Google Require DMARC
DMARC Tools - XML to Human Converter
bottom of page