What is SPF flattening?
A practical guide to SPF flattening, including what a flattened record looks like, why teams consider it, and what risks it introduces.
Tools For This Topic
What SPF flattening means
SPF flattening is the process of replacing include-based SPF mechanisms with direct IP address entries (ip4 and ip6).
Instead of relying on recursive lookups to external domains, a flattened record lists all authorised sending IPs explicitly.
Why teams consider flattening
Flattening is typically considered when an SPF record approaches or exceeds the 10 DNS lookup limit imposed by the SPF specification.
It can also make the effective sending infrastructure more visible by consolidating all allowed IPs into a single record.
Standard vs flattened SPF example
A typical include-based SPF record might look like:
example.com. 3600 IN TXT "v=spf1 include:spf.protection.outlook.com include:_spf.google.com -all"A flattened equivalent would expand those includes into explicit IP ranges:
example.com. 3600 IN TXT "v=spf1 ip4:203.0.113.10 ip4:203.0.113.11 ip4:203.0.113.12 ip6:2001:db8::1 -all"This removes recursive lookups but requires manual or automated maintenance.
How SPF lookup limits relate to flattening
SPF evaluation is limited to 10 DNS lookups, including mechanisms like include, redirect, mx, and a.
Exceeding this limit results in a permerror, which can cause legitimate email to fail authentication.
v=spf1 include:a.example.com include:b.example.com include:c.example.com include:d.example.com include:e.example.com include:f.example.com include:g.example.com include:h.example.com include:i.example.com include:j.example.com include:k.example.com -allIn this example, the lookup limit would be exceeded, making flattening or restructuring necessary.
Benefits
- Eliminates recursive DNS lookups during SPF evaluation
- Reduces risk of exceeding the 10 lookup limit
- Provides a clear, explicit view of authorised sending IPs
Risks
- Third-party provider IP ranges may change without notice
- Flattened records can quickly become outdated
- Manual maintenance increases operational overhead
- Large flattened records may approach DNS size limits
What to check before flattening
- Current SPF lookup count and whether it exceeds limits
- Which sending services are actually required
- How frequently provider IP ranges change
- Whether automation is available to keep the record updated
- Whether restructuring (e.g. removing unused includes) is sufficient instead
# Check SPF record
dig TXT example.com
# Identify includes
nslookup -type=txt example.comWhen flattening makes sense
Flattening can be useful in controlled environments where sending IP ranges are stable and well understood.
It is often combined with automation tools that periodically rebuild SPF records based on provider data.
Without automation, flattening introduces risk and should be approached carefully.
Common mistakes
- Flattening without ongoing maintenance or automation
- Not validating that all required IPs are included
- Breaking SPF alignment by removing necessary includes
- Assuming flattening is always required instead of optimising the record
Use These DNS Pro Tools
If you want to validate this topic in practice, these DNS Pro tools are the fastest next step.
Related Tools
Related Articles
What Is TLS-RPT? SMTP TLS Reporting Explained
A practical reference guide to TLS-RPT, including what the record looks like, what the tags mean, and how it fits alongside MTA-STS.
How to Check an SPF Record
A practical guide to checking an SPF record, including where to look, how to read includes and qualifiers, and how to spot common SPF problems.
How to Check Reverse DNS for Mail (Step-by-Step Guide)
A practical guide to checking reverse DNS for mail servers, including PTR records, forward confirmation (FCrDNS), and what good mail-related reverse DNS looks like.