Domainee
Sign inGet started

SPF flattening

SPF flattening replaces include: references with raw IPs to dodge SPF's 10-DNS-lookup limit. Necessary evil for big senders; comes with maintenance debt.

SPF flattening is the practice of replacing include: mechanisms in your SPF record with the raw IP addresses they resolve to, so you don't hit SPF's 10-DNS-lookup limit.

The 10-lookup limit

RFC 7208 caps SPF at 10 DNS lookups per evaluation. Every include:, a, mx, exists, and redirect= counts toward this. Exceed it and SPF returns PermError, which usually means receivers drop the mail.

A modest SaaS easily hits the cap:

  • include:_spf.google.com → 4 lookups under the hood.
  • include:spf.mailchimp.com → 3 lookups.
  • include:sendgrid.net → 2 lookups.
  • include:_spf.salesforce.com → 5 lookups.

You've burned past 10 just by enumerating four legitimate senders.

How flattening works

Take a record like:

v=spf1 include:_spf.google.com include:spf.mailchimp.com ~all

Resolve each include: and inline the IPs:

v=spf1 ip4:209.85.220.41 ip4:209.85.220.65 ip4:64.233.165.51 ip4:64.233.165.52 ip4:198.2.179.78 ip4:198.2.179.79 ~all

Zero include: references. Zero DNS lookups beyond the SPF record itself.

The downside

The IPs aren't yours. When Google or Mailchimp adds new sending IPs (and they do, often), your flat SPF won't know. Your legitimate mail starts failing SPF until you re-flatten.

How teams handle the maintenance debt

Three options:

  1. Manual quarterly refresh. Re-resolve the original include: chains, regenerate the flat record, deploy. Time-consuming and prone to forgetting.
  2. Automated flattening services. EasyDMARC, dmarcian, Valimail, Cloudflare offer hosted flatteners that re-resolve nightly and auto-update your record via DNS API.
  3. Just consolidate senders. Use one ESP for transactional, one for marketing, drop the rest. Then a 5-sender SPF record stays under 10 lookups without flattening.

Path 3 is the least sexy and the most durable.

Don't flatten before fixing alignment

If your DMARC is failing because of DKIM alignment or you haven't enrolled all senders, SPF flattening won't help. Fix alignment first. Flatten only when alignment is solid and you've genuinely hit the cap on legitimate senders.

Want this handled for you? Start free with Domainee — 50 custom domains + 100 GB bandwidth, no card.