Flattening your SPF record
The Problem: The DNS ten-lookup rule
OK, so you’ve previously read about the limitation of ten DNS lookups within an SPF record and the possible solutions available. This article covers one specific method of getting around this limit: Flattening your SPF record.
Sample SPF record:
Below is a sample (but real) SPF record for our domain spftestrecord.info. This is a pretty typical SPF record and represents authorizing a number of email servers on the internet to send emails on behalf of our domain:
v=spf1 ip4:104.207.254.155 include:_spf.google.com include:email.freshdesk.com include:servers.mcsv.net ~all
The record contains references to four (4) groups of email servers that we are authorizing to send email on our bahalf:
ip4:104.207.254.155 - This represents a web server that has a sendmail function that is rarely used (just a single IP address)
include:_spf.google.com - This represents a Google Workspace org set up for the company
include:email.freshdesk.com - This represents a Freshdesk instance we will use to support customers
include:servers.mcsv.net - This represents a Mailchimp account we will use to send newsletters
If you head over to the dmarcian SPF test tool and test out the domain spftestrecord.info. You’ll see that this simple SPF record results in 13 DNS lookups which is three more than are allowed.
If you expand out the lookups in the SPF tool (using the plus signs), you can actually count all 13 of the DNS lookups required to convert all those hostnames into a list of pure IP addresses.
And you’ll also see that the ten lookup limit gets hit about halfway through the Freshdesk record (which requires 8 lookups !?!). This means that there is no chance of your Mailchimp servers being authorized since mail servers give up after 10 lookups.
What is SPF flattening?
When hostnames are evaluated in an SPF record, they are simply converted into IP addresses. Each Manual flattening basically means evaluating your desired SPF record converting all the hostnames into IP addresses along the way. Then building your SPF records completely out of IP addresses instead of hostnames
Methods for flattening
Flatten your SPF records manually (NOT RECOMMENDED)
When hostnames are evaluated in an SPF record, they are simply converted into IP addresses. Each Manual flattening basically means evaluating your desired SPF record converting all the hostnames into IP addresses along the way. Then building your SPF records completely out of IP addresses instead of hostnames
Nobody recommends doing this since the IP addresses of your ESPs can (and will) change over time and you may not be informed.
Use a SPF flattening service - These services will automatically flatten your SPF record into its constituent IP addresses and provide you a simplified, but equivalent SPF record to use. The most important piece here is to choose a service that automatically re-analyzes your original SPF record and updates the list of IP addresses involved. This is not a “set it and forget it” situation!
UniversalSPF = https://universalspf.org - This is a free tool provided by the folks at Fraudmarc that uses some back-end magic to make your SPF record digestible by email servers even if there are more than 10 lookups. There’s no account or settings to manage… it’s free and it just works. Here’s a relevant Reddit thread on this exact topic.
AutoSPF - https://autoSPF.com - is a free/paid SPF flattening service that I’ve not tried since UniversalSPF worked so well for me.
Use UniversalSPF
https://get.ondmarc.redsift.com/spf-limit/?utm_medium=cpc&utm_source=adwords&utm_campaign=11651786157&utm_term=%2Bspf%20%2Bflattening&gclid=CjwKCAjwx8iIBhBwEiwA2quaq37sXMyVPp4Pld9ABZ23gQ74MqR_ZRrsspkUbPoOsM4gmran0hT_vRoC4zYQAvD_BwE
