DMARCsimple logo by CCMS

SPF Flattening – Avoid DNS Lookup Limits & PermErrors

Understand why SPF records break in complex environments, how SPF flattening works and where DMARCsimple fits into keeping SPF and DMARC reliable.

What is SPF and why does it break?

Sender Policy Framework (SPF) is a DNS-based mechanism that lists which servers are allowed to send mail on behalf of your domain. Receiving mail servers compare the connecting IP against your SPF record to decide whether the message is authorized.

In simple environments with one or two providers, SPF can be straightforward. In real-world environments with multiple SaaS platforms, legacy systems and nested include: mechanisms, SPF records can quickly hit DNS lookup limits and begin to fail in subtle ways.

The SPF 10 DNS lookup limit

The SPF specification recommends a hard limit of 10 DNS lookups during evaluation. Every include:, a, mx, ptr and exists mechanism can contribute to this count. Once the limit is exceeded, SPF evaluators may treat the record as a permanent error (PermError), which often results in DMARC failures.

Organizations frequently run into this problem when:

  • They use several email platforms (marketing, CRM, support, billing, product notifications).
  • Providers rely on nested include: chains that reference multiple infrastructure vendors.
  • Legacy SPF entries are left in place long after a service has been retired.

What is SPF flattening?

SPF flattening is the process of resolving all of the indirect mechanisms in your SPF record—particularly include: statements—into a single, explicit list of IP addresses and ranges. The goal is to reduce DNS lookups while preserving the set of systems that are authorized to send mail for your domain.

In a flattened SPF record, evaluators no longer need to recurse through multiple providers at query time. This reduces lookup counts, improves resilience against DNS outages and helps avoid unexpected PermErrors.

How SPF flattening helps DMARC

DMARC relies on SPF (and DKIM) results, plus alignment checks, to determine whether a message should be considered authentic. If your SPF record is fragile or frequently failing due to lookup limits, DMARC results will be noisy and harder to interpret.

  • Fewer PermErrors: Flattening reduces the risk that SPF fails unexpectedly during DMARC evaluation.
  • More predictable deliverability: Legitimate providers are less likely to be impacted by DNS or lookup issues.
  • Clearer reports: DMARC aggregate data becomes easier to trust and act on when underlying SPF is stable.

Where DMARCsimple fits today

DMARCsimple helps you identify SPF issues quickly by analyzing DMARC aggregate reports and highlighting:

  • Domains that are approaching or exceeding SPF lookup limits.
  • Providers that regularly fail SPF while still passing DKIM.
  • Legacy or duplicate include: entries that can be cleaned up.

You can use these insights to decide where SPF flattening—or a simpler rationalization of providers—makes the most sense.

Best practices for SPF & flattening

  • Flatten only where necessary, starting with domains that are at or near lookup limits.
  • Review provider documentation regularly, as IP ranges can change over time.
  • Document why each IP range or network is present in your SPF record.
  • Pair SPF flattening with DMARC monitoring so you can quickly catch unintended side effects.

SPF flattening is not a silver bullet, but it is an important tool in keeping your authentication stack stable as your email ecosystem evolves.

Related resources

Talk through your SPF situation

If you manage many domains or providers and are unsure whether SPF flattening is right for you, we can help you review DMARC data and design a safe cleanup plan.

Contact DMARCsimple