Skip to main content

SPF Flattener

RFC 7208 caps an SPF record at 10 DNS lookups end-to-end. Domains that combine Google Workspace, HubSpot, Mailchimp, and a custom relay routinely blow past it. Mail starts failing authentication with PermError. This tool recursively expands every include:, redirect=, a, and mx mechanism down to the underlying ip4: / ip6: literals. Result: zero DNS lookups at evaluation time.

We'll fetch the published SPF record and walk every nested include.

or

Useful when you're staging a record before publishing it.

What the SPF flattener does (SPF too many DNS lookups)

This SPF flattener takes a record that triggers too many DNS lookups and rewrites it as raw ip4: and ip6: ranges. It recursively resolves every include:, redirect=, a, and mx down to the IPs behind them, so the published record evaluates with no lookups at all.

Why it matters

RFC 7208 limits an SPF record to 10 DNS lookups. Stack a few SaaS senders, Google Workspace plus a marketing platform plus a transactional relay, and you cross that line. Receivers then return a PermError and stop honoring your SPF, so legitimate mail can fail authentication. Flattening removes the lookups entirely, which is the most reliable way to clear "SPF too many DNS lookups" without dropping any of your real senders.

How to read the result

The verdict shows the lookup count before and after, the number of IP entries, and the byte length. Publish the flattened record in place of your existing one, keeping exactly one SPF record on the domain. The trade-off: a flattened record is a snapshot. When a provider changes its sending IPs, your record will not follow automatically, so re-flatten every 90 days or use it as a stopgap while you reduce includes.

Related

Frequently asked questions

What does SPF flattening do?

Flattening recursively expands every include, redirect, a, and mx mechanism in your SPF record down to the raw IP4 and IP6 ranges they resolve to. The authorised senders stay the same, but the receiver no longer has to perform a DNS lookup for each mechanism, so you drop under the RFC 7208 10-lookup limit.

When should I flatten my SPF record?

When the SPF checker reports you are at or over 10 DNS lookups and receivers are returning PermError. If you are comfortably under the limit, flattening is unnecessary and adds maintenance, because flattened IPs do not auto-update when a provider changes theirs.

What is the downside of a flattened SPF record?

Flattened IPs are a snapshot. If a sending provider changes its IP ranges, your flattened record goes stale and legitimate mail can fail SPF until you re-flatten. Re-flatten on a schedule, or only flatten the includes that pull in the most lookups and leave stable ones as includes.

How do I confirm the flattened record works?

Publish it as the single SPF TXT record at your domain apex, wait for propagation, then re-run the SPF checker to confirm the lookup count is under 10 and the record still validates.


Want ongoing monitoring?

This tool is a one-shot check. PhishFence watches your domain with automated hourly monitoring (daily on Free) for DMARC changes, new lookalike registrations, and spoofing attempts.

Start free monitoring