DMARC and SPF Flattening — When to Do It
For anyone managing email deliverability, DMARC is a critical layer of protection against phishing and spoofing. It relies on the successful authentication and alignment of SPF and DKIM. While DKIM is generally straightforward, SPF often introduces complexities, particularly with its notorious 10-lookup limit. When you hit this limit, SPF flattening becomes a necessary, albeit nuanced, strategy.
This article will break down what SPF flattening is, why it matters for DMARC, when you should consider it, and the pitfalls you need to be aware of.
The Core Problem: SPF's 10-Lookup Limit
SPF (Sender Policy Framework) is a DNS TXT record that specifies which mail servers are authorized to send email on behalf of your domain. When a recipient mail server receives an email, it performs a DNS lookup to check your domain's SPF record. This record consists of various mechanisms (a, mx, ptr, ip4, ip6, exists, include, redirect) and modifiers.
The problem arises because the SPF specification (RFC 7208) limits the number of DNS lookups performed during the evaluation of an SPF record to 10. This limit applies to mechanisms that require DNS queries: a, mx, ptr, exists, include, and redirect. ip4 and ip6 mechanisms, which list IP addresses directly, do not count towards this limit.
Why does this matter? Because in today's SaaS-heavy world, it's common for organizations to use multiple third-party email senders. Think marketing automation platforms (Mailchimp, HubSpot), transactional email services (SendGrid, Mailgun), CRM systems (Salesforce), and productivity suites (Google Workspace, Microsoft 365). Each of these often requires an include mechanism in your SPF record, like include:_spf.google.com.
If your SPF record exceeds 10 lookups, the recipient mail server will return an SPF permerror (permanent error). This means SPF authentication fails, and crucially, your DMARC policy will likely fail SPF alignment, potentially leading to emails being rejected or quarantined.
How SPF Flattening Works
SPF flattening is the process of resolving all nested include mechanisms in your SPF record down to their constituent IP addresses and then replacing the includes with ip4 and ip6 mechanisms.
Instead of:
v=spf1 include:_spf.google.com include:mailgun.org -all
Which might involve:
1. Lookup _spf.google.com (1 lookup) -> resolves to several includes and ip4s.
2. Lookup mailgun.org (1 lookup) -> resolves to an include and ip4s.
3. Each subsequent include within those also counts as a lookup.
A flattened record would look something like:
v=spf1 ip4:35.190.247.0/24 ip4:35.191.0.0/16 ip4:35.196.0.0/16 ip4:192.237.158.0/24 ip4:198.61.254.0/24 -all (This is a simplified example; actual flattened records can be much longer.)
The process typically involves:
1. Parsing: Reading your existing SPF record.
2. Recursive Resolution: For each include or redirect mechanism, performing DNS lookups to resolve it to its underlying IP addresses (or further nested includes). This step is repeated until all includes are fully resolved to ip4 or ip6 mechanisms.
3. Consolidation: Aggregating all unique IP addresses and CIDR blocks discovered.
4. Generation: Creating a new SPF record using only ip4, ip6, and your original a or mx mechanisms (if you host your own mail servers).
By replacing lookups with static IP addresses, you bypass the 10-lookup limit entirely for those mechanisms.
Why Flattening Matters for DMARC
DMARC (Domain-based Message Authentication, Reporting, and Conformance) builds upon SPF and DKIM. For an email to pass DMARC, it must pass either SPF authentication and alignment, or DKIM authentication and alignment.
SPF Alignment requires that the domain in the Return-Path header (also known as the Mail From or Envelope From address) matches the domain in the From header (the one users see).
If your SPF record exceeds the 10-lookup limit, SPF authentication will result in a permerror. When SPF authentication fails with a permerror, DMARC cannot evaluate SPF alignment, and thus the SPF leg of DMARC will fail. This means your email's DMARC status depends entirely on DKIM. If DKIM also fails or isn't aligned, your email will fail DMARC.
Flattening ensures that SPF authentication can complete successfully by resolving all necessary IP addresses without hitting the lookup limit. A successful