Blog

How to Flatten Your SPF Record (And When You Should)

SPF flattening replaces includes with IPs to avoid the 10 lookup limit. Learn how it works and whether it's right for you.

Published November 17, 2025
spf dns spf-flattening email-authentication
Step-by-step SPF record flattening process

SPF flattening resolves all include: statements to their underlying IP addresses, reducing your DNS lookup count to nearly zero. It’s a solution for when you’ve hit the 10 lookup limit and can’t remove any services. But it comes with maintenance burden and risks.

This guide covers how flattening works, how to do it, and when you should (or shouldn’t) use it.

The Problem Flattening Solves

SPF has a 10 DNS lookup limit. Each include: uses at least one lookup, and nested includes compound the problem.

A typical record might look like:

v=spf1 include:_spf.google.com include:spf.protection.outlook.com 
include:sendgrid.net include:servers.mcsv.net include:amazonses.com -all

That’s 5 includes, but they contain nested lookups:

IncludeLookups
_spf.google.com3
spf.protection.outlook.com2
sendgrid.net1
servers.mcsv.net2
amazonses.com1
Total9

You’re at 9. Add one more service and you hit permerror.

How Flattening Works

Flattening resolves those includes to the actual IP addresses they represent:

Before (9 lookups):

v=spf1 include:_spf.google.com include:sendgrid.net -all

After flattening (0 lookups):

v=spf1 ip4:35.190.247.0/24 ip4:64.233.160.0/19 ip4:66.102.0.0/20 
ip4:66.249.80.0/20 ip4:72.14.192.0/18 ip4:74.125.0.0/16 
ip4:108.177.8.0/21 ip4:173.194.0.0/16 ip4:209.85.128.0/17 
ip4:167.89.0.0/17 ip4:168.245.0.0/17 -all

Now there are no DNS lookups—just direct IP comparisons.

The Flattening Process

Manual Flattening

You can flatten manually by tracing each include:

  1. Look up each include: domain’s SPF record
  2. If that record has includes, look those up too
  3. Collect all ip4: and ip6: addresses
  4. Replace includes with the collected IPs

This is tedious and error-prone. One wrong IP and you break email.

Automated Flattening

Most people use tools or services that:

  1. Resolve all includes automatically
  2. Generate the flattened record
  3. Monitor for IP changes
  4. Alert you (or auto-update) when providers change IPs

Some options:

  • Scripts you run periodically (open source tools exist)
  • Managed services that handle it for you
  • DNS providers with built-in flattening

The Risks of Flattening

Risk 1: Provider IP Changes

When Google or SendGrid adds new IP ranges (which they do regularly), your flattened record becomes incomplete. Email from new IPs fails SPF.

Mitigation: Automated monitoring and updates. Never flatten and forget.

Risk 2: Record Length Limits

Flattened records can get very long. DNS TXT records have a 255-character limit per string (though multiple strings can be concatenated). Very complex setups might not fit.

Mitigation: Use CIDR notation to consolidate IP ranges. Some tools optimize for record length.

Risk 3: Maintenance Burden

You’re now responsible for keeping IP addresses current. This is operational overhead that include: statements handle automatically.

Mitigation: Automation. If you can’t automate it, flattening might not be right for you.

Risk 4: Losing Provider Context

Looking at include:sendgrid.net tells you what it’s for. Looking at ip4:167.89.0.0/17 doesn’t. Documentation becomes critical.

Mitigation: Keep a documented mapping of which IPs belong to which service.

When to Flatten

Good candidates for flattening:

  • You’re at 10+ lookups and have removed all unnecessary includes
  • You have automation in place to keep IPs current
  • Your providers have relatively stable IP ranges
  • You understand the maintenance commitment

Poor candidates for flattening:

  • You’re managing SPF manually (no automation)
  • You’re at 7-8 lookups (optimize first, flatten later if needed)
  • Your providers frequently change IPs
  • You don’t have monitoring for IP changes

Alternatives to Flattening

Before flattening, try these:

1. Remove Unused Services

That ESP you canceled six months ago? Its include is still costing you lookups. Audit and remove.

2. Use Subdomains

Move some email to subdomains with their own SPF records:

  • marketing.company.com for Mailchimp
  • notifications.company.com for transactional email

Each subdomain gets its own 10 lookups.

3. Consolidate Sending Services

Do you really need three different marketing platforms? Consolidation reduces includes.

4. Partial Flattening

Flatten only specific includes—maybe the ones that have the most nested lookups—while keeping simpler includes intact.

How to Flatten (If You Decide To)

  1. Use dig or online tools to resolve each include
  2. Trace nested includes
  3. Collect all IP ranges
  4. Build the flattened record
  5. Set up monitoring for changes
  6. Update manually when notified

Option 2: Open Source Tools

Several tools automate flattening. Look for ones that:

  • Resolve includes recursively
  • Generate optimized output
  • Support scheduled runs
  • Alert on changes

Option 3: Managed Services

Services that manage your SPF record:

  • Maintain the flattened record automatically
  • Update when providers change IPs
  • May use DNS techniques like macros or split records

Monitoring Your Flattened Record

Once flattened, monitor for:

  1. IP changes from providers — Subscribe to provider status pages or use monitoring tools
  2. SPF failures in DMARC reports — New IPs will show as failures
  3. Provider announcements — Major ESPs announce IP range changes

Verkh monitors your authentication results and can alert you when unexpected SPF failures appear—a sign your flattened record might be stale.

A Hybrid Approach

You don’t have to flatten everything. Consider:

v=spf1 include:_spf.google.com ip4:167.89.0.0/17 ip4:168.245.0.0/17 
include:servers.mcsv.net -all

Here, SendGrid is flattened (2 lookups saved) but Google and Mailchimp use includes (easier to maintain). You’ve reduced lookups without fully committing to flattening.

The Bottom Line

  • Flattening solves the 10 lookup limit by replacing includes with IPs
  • It requires ongoing maintenance—IPs change
  • Automate or don’t flatten
  • Try alternatives first: remove unused includes, use subdomains
  • Partial flattening can be a reasonable compromise

Flattening isn’t magic. It trades one problem (lookup limit) for another (maintenance burden). Make sure that’s a trade worth making.

For more on SPF configuration, see our SPF Troubleshooting Guide and SPF 10 DNS Lookup Limit.

Verkh monitors your SPF record and alerts you to authentication failures that might indicate stale flattened IPs. Track your SPF health at verkh.io.

Related Articles

Explanation of the SPF 10 DNS lookup limit

December 2025

The SPF 10 DNS Lookup Limit Explained

SPF records are limited to 10 DNS lookups. Learn why this limit exists, how to check your lookup count, and how to fix SPF permerror when you exceed it.

SPF PermError troubleshooting guide

November 2025

What Does SPF Permerror Mean? (And How to Fix It)

SPF permerror means your record has a permanent error. Learn the common causes—syntax errors, too many lookups—and fixes.

SPF softfail versus hardfail comparison

November 2025

SPF Softfail vs Hardfail: Which Should You Use?

~all (softfail) vs -all (hardfail) determines how strictly receivers treat SPF failures. Learn which to use and when to switch from softfail to hardfail.

Ready to implement this?

Verkh helps you monitor DMARC, identify issues, and reach enforcement. Start free.

Start Free