What is SPF Flattening?

SPF flattening is the process of optimizing a Sender Policy Framework (SPF) record by replacing domain-based include: mechanisms with their respective IP addresses, so the resulting SPF record has fewer DNS lookups.

SPF Flattening Explained

SPF flattening is a workaround technique that converts include: statements in your SPF record into direct IP address entries to reduce DNS lookups. Instead of your SPF record telling receiving email servers to "go look up what IP addresses Salesforce uses," flattening lists those actual IP addresses directly in your SPF record.

This technique addresses the SPF 10-lookup limit—a hard constraint that causes SPF authentication to fail when your record requires more than 10 DNS queries to resolve all included domains. When organizations use multiple email services (Microsoft 365, Salesforce, marketing platforms, support systems), they often hit this limit quickly.

SPF flattening trades convenience for compliance. Your record becomes longer and harder to read, but it stays within the 10-lookup boundary that email servers enforce.

How SPF Flattening Works

When you publish an SPF record with multiple include: statements, receiving email servers must perform a DNS lookup for each included domain to determine which IP addresses are authorized to send email on your behalf. Each lookup counts toward the 10-query limit.

For example, this SPF record requires 4 DNS lookups:

v=spf1 include:_spf.salesforce.com include:spf.protection.outlook.com include:_spf.google.com include:servers.mcsv.net ~all

After flattening, the same authorization becomes:

v=spf1 ip4:136.147.0.0/16 ip4:166.78.0.0/16 ip4:40.92.0.0/15 ip4:40.107.0.0/16 ip4:198.2.128.0/18 ip4:198.61.254.0/24 ~all

This flattened version requires zero additional DNS lookups—all authorized IP ranges are explicitly listed.

Manual SPF Flattening Steps

Manual SPF flattening requires you to research, extract, and maintain IP address ranges from your email service providers. Here's the step-by-step process:

1. Identify Your Includes List all include: statements in your current SPF record. Use dig or nslookup to retrieve your existing record:

dig txt yourdomain.com

2. Resolve Each Include For each included domain, query its SPF record to find the actual IP addresses:

dig txt spf.protection.outlook.com
dig txt _spf.salesforce.com  
dig txt _spf.google.com

3. Extract IP Ranges Parse the returned SPF records for ip4: and ip6: mechanisms. Some providers nest includes within includes, requiring multiple lookups to reach the actual IP addresses.

4. Replace Includes with IPs Convert each include:_spf.salesforce.com statement to the explicit IP ranges:

  • include:_spf.salesforce.com becomes ip4:136.147.0.0/16 ip4:166.78.0.0/16
  • include:spf.protection.outlook.com becomes ip4:40.92.0.0/15 ip4:40.107.0.0/16

5. Test Your New Record Before publishing, verify your flattened record:

  • Doesn't exceed the 255-character DNS record limit
  • Contains fewer than 10 total mechanisms
  • Validates correctly using SPF testing tools

6. Monitor and Update Service providers change their IP ranges regularly. Schedule monthly checks to ensure your flattened record remains current.

The Problems with Manual SPF Flattening

Manual SPF flattening creates more problems than it solves:

IP Addresses Change Constantly What works today breaks next month when a service updates their infrastructure. Microsoft, Google, and Salesforce regularly modify their IP ranges without notice. Your flattened record becomes a maintenance nightmare.

Record Length Limits Flattened records often exceed the 255-character DNS TXT record limit, forcing you to split records or choose between email services.

Reduced Deliverability When provider IP ranges change and you haven't updated your record, legitimate emails start failing SPF authentication. Your deliverability drops while you scramble to identify which ranges changed.

Operational Overhead Manual flattening requires constant monitoring, testing, and updating. IT teams spend time chasing vendor infrastructure changes instead of focusing on strategic security initiatives.

Limited Visibility Flattened records obscure which services are authorized to send on your behalf. Troubleshooting becomes harder when you can't quickly identify which IP range corresponds to which service.

SPF Flattening Best Practices

If you must flatten SPF records manually, follow these practices to minimize problems:

Document Your Sources Maintain a spreadsheet linking each IP range to its source service. When ranges stop working, you'll know which vendor to contact.

Set Up Monitoring Use SPF monitoring tools to alert you when your record starts failing authentication checks.

Plan for Record Splitting When your flattened record exceeds 255 characters, implement SPF record splitting using multiple TXT records and include statements.

Test Before Publishing Always test flattened records in a staging environment before updating production DNS.

Schedule Regular Reviews Check vendor IP ranges monthly, not when email delivery starts failing.

Move Beyond Manual Management with IRONSCALES

Manual SPF flattening is a temporary fix that creates long-term maintenance problems. DMARC management services automatically host and flatten your SPF records, updating IP ranges when providers change them, so you don't have to manually chase down every vendor's infrastructure changes.

IRONSCALES provides comprehensive email authentication management that goes beyond basic SPF flattening. Our platform automatically maintains your SPF, DKIM, and DMARC records while providing advanced phishing protection that DMARC and SPF can't deliver on their own.

With IRONSCALES, you get:

  • Hosted SPF, DKIM, DMARC, BIMI, and MTA-STS
  • Automatic SPF record management and flattening
  • Real-time updates when service providers change IP ranges
  • Centralized reporting and geomap views of all email authentication activity related to your domains

SPF flattening is just one piece of email security—but with IRONSCALES, you can ensure your organization stays protected from evolving email threats without the operational overhead of manual record maintenance.

Check out the complete IRONSCALES email security solution here.

Explore More Articles

Say goodbye to Phishing, BEC, and QR code attacks. Our Adaptive AI automatically learns and evolves to keep your employees safe from email attacks.