SPF Include Flattening
SPF include flattening is the process of replacing SPF include mechanisms with the actual IP addresses they resolve to. This technique is commonly used to reduce the number of DNS lookups performed during SPF evaluation. SPF has a strict limit of ten DNS lookups, and complex email infrastructures can easily exceed that limit when multiple providers are used.
One-Minute Fix
If your SPF record exceeds the DNS lookup limit, flatten the include mechanisms by replacing them with the IP addresses returned by those providers.
v=spf1 ip4:192.0.2.0/24 ip4:198.51.100.5 include:_spf.google.com ~allThis record replaces some include lookups with direct IP ranges while still keeping Google Workspace authorization.
Re-checkWrong vs correct setup
Unflattened SPF example
v=spf1 include:_spf.google.com include:sendgrid.net include:mailgun.org include:amazonses.com ~allThis configuration may exceed the SPF DNS lookup limit if each include expands into multiple nested lookups.
Flattened SPF example
v=spf1 ip4:167.89.0.0/17 ip4:192.0.2.0/24 include:_spf.google.com ~allFlattening replaces nested includes with IP ranges to stay under the 10-lookup SPF limit.
Why this happens
Many modern email systems rely on include mechanisms to delegate SPF policies. When several services are combined, the total number of DNS lookups can exceed SPF limits.
Why this is a problem
- SPF evaluation stops after 10 DNS lookups.
- Receivers may return SPF permerror.
- Legitimate email may fail authentication.
- DMARC alignment may break.
How this affects deliverability
When SPF exceeds lookup limits, receivers treat the record as invalid. That reduces authentication reliability and may lower sender trust.
Common causes
- Several ESPs were added over time and each added another include chain.
- Old sending providers remained in SPF even after they stopped sending mail.
- Nested includes from third-party providers expanded far more than expected.
- No one reviewed the total SPF lookup count after adding new services.
What we checked
We evaluated whether the SPF policy structure is likely to exceed the 10-DNS-lookup limit and whether flattening is being used to reduce that complexity.
Live DNS lookup. No login. No saved domains. No tracking.
FAQ
Does SPF flattening always improve deliverability?
Not automatically. It mainly helps when your SPF policy is too lookup-heavy. If done badly, flattened records can become outdated and break legitimate mail.
Is manual flattening risky?
Yes. If provider IP ranges change and you do not update the flattened record, mail that used to pass SPF may start failing.
When should I flatten SPF?
Flatten SPF when cleanup alone is not enough and your policy is close to or above the 10-lookup limit.
Next steps
- Count the effective SPF lookup depth before flattening anything.
- Remove obsolete providers first so you do not flatten unnecessary entries.
- Flatten only the parts of SPF that truly need it.
- Document who maintains the flattened record going forward.
- Re-check SPF regularly so the flattened IP ranges do not become stale.
- Review the full troubleshooting guidance in the SPF Hub.
- Check signing and selector issues in the DKIM Hub.
- Review alignment and policy issues in the DMARC Hub.