Inbox Placement – A New View from MxToolbox

Reaching inboxes has always been essential for your business. If your latest newsletter or campaign lands in the Spam/Junk folder or is never delivered, your email efforts have failed, not to mention the wasted time/resources.

Many of our customers do not realize that they have an email delivery issue until a customer or vendor reports a missing email. There are many subtle reasons why an email can fail to reach the inbox. Getting to the Inbox now requires active management.

A Wider View

MxToolbox’s Inbox Placement is analysis tool for your campaigns. You email our list of test accounts to see where your outgoing messages will most likely go before you launch your campaigns, whether it fails entirely, makes the Inbox or gets turfed to a Spam/Junk folder. And, if an email falls short of reaching an Inbox Provider (Google, Microsoft, etc.), our service provides insight to help you make necessary changes to improve your results.

Expanded Insights

Our team of Email Delivery Experts have been analyzing the most common reason why emails fail to make the Inbox and developing new ways to surface this information to our customers. The new version of our Inbox Placement tool has some great improvements:

  • New Overview Page: Better summary information of campaigns and inbox placement analytics.
  • New MxTips with MxScore: More analysis tools to help you make the Inbox along with our weighting of importance to help you prioritize changes.
  • MxTips Types: Better insight into which MxTips were tested and their outcomes (Failed, Warning, Success). They include best practices, content, security, and reputation.
  • Email Render: See a copy of the original email for quick analysis and (coming soon) in-render highlighting of the MxTip warnings.

How Does Inbox Placement Work?

With MxToolbox’s Inbox Placement, you get ahead of many unknown email delivery issues and stay out of the dreaded Spam/Junk folder. MxToolbox Inbox Placement gives you two options to test the placement of your emails:

  1. Proactively send emails to our test inboxes – Whether you are crafting a new nurturing campaign or setting up a newsletter, send a test email copying our list of test inboxes. MxToolbox will tell you how the email performs!
  2. Monitor on-going newsletter performance – Subscribe our list of test inboxes to your newsletter lists to continually monitor performance and get warned when your reputation changes with Inbox Providers. Inbox Providers are constantly changing their algorithms to remove irrelevant email. Each time you send an email to these lists, you get insight into how they performed with the major Inbox Providers!

MxToolbox Inbox Placement provides actionable information about your email campaigns, highlights any inbox deliverability issues outlines steps for enhancing your email performance.

How Can I Get Inbox Placement?

MxToolbox Inbox Placement is a feature of MxToolbox Delivery Center. Simply purchase one of our Delivery Center plans and you gain access to Inbox Placement along with our full suite of DMARC email delivery tools.

Business Email Compromise (BEC) Fraud on the Rise

Cybercriminals are a major threat to business email. Through various business email compromise (BEC) scams, these fraudsters can cause irreparable financial and reputational damage to your company. With BEC on the rise, protecting your inbound (and outbound) messages is vital to your company’s success and longevity of its brand.

What Is Business Email Compromise (BEC)?

BEC attacks are financial in nature and target organizations of all sizes. The gist of a BEC scam is a fraudster pretends to be someone at the executive level, then convinces an unsuspecting employee to help them wire funds outside of the company. BEC compromises often use publicly available information, phone calls and emails from domains that are similar in nature to the target company. For example: targeting with an email from MxTooŀ Look closely.

Loss numbers are frequently significant, and it’s a very appealing tactic for scammers looking to get rich quick.

Unreported BEC (Needed?)

Many instances of BEC fraud go unreported because few companies want to admit that they fell victim to a scam. As a result, cases are typically hidden until court proceedings. It’s difficult to gauge how much money is actually lost to BEC scams per year, but the estimates are astronomical.

Common Types of BEC Attacks

According to the FBI, there are five common types of BEC scams:

Email Account Compromise

In an email account compromise attack, an employee’s email account is hacked and used to request payments from vendors. The money is then sent to attacker-controlled bank accounts.

Vendor Email Compromise

Companies with foreign suppliers are common targets of vendor email compromise. Attackers pose as suppliers, request payment for a fake invoice, then transfer the money to a fraudulent account.

CEO Fraud

Scammers impersonate the CEO or executive of a company. As the CEO, they request that an employee within the accounting or finance department transfer funds to an attacker-controlled account.

Lawyer Impersonation

Fraudsters pose as a lawyer or legal representative, often via email. The common targets of these attacks are lower-level employees who might not have the knowledge or experience to question the validity of an urgent legal request.

Data Theft

Data theft attacks typically target HR personnel to obtain personal information about a company’s CEO or other high-ranking executives through emails. The attackers can then use the received data in other future attacks, such as CEO fraud.

Tips to Avoid BEC Scams

Because email is such a critical aspect of your business, a single compromised account is all it takes to financially damage your company and its brand. Here are some tips on how to stay protected and secure:

  • Carefully scrutinize all emails. Be wary of irregular emails that are sent from C-suite executives, as they are used to trick employees into acting with urgency. Review emails that request transfer of funds to determine if the requests are irregular.
  • Educate and train staff. While employees are a company’s biggest asset, they’re also usually its weakest link when it comes to security. Commit to training them according to the company’s best practices. Remind all that adhering to company policies is one thing, but developing good security habits is another.
  • Confirm any changes in vendor payment location by using a secondary sign-off by company personnel.
  • Stay updated on your customers’ habits, including the details and reasons behind payments.
  • Verify requests for transfer of funds when using phone verification as part of two-factor authentication.
  • If you suspect that you’ve been targeted by a BEC email, immediately report the incident to law enforcement or file a complaint.

How Can MxToolbox Help? (DMARC)

DMARC helps secure your company’s email platform and fights to protect against BEC scams. By implementing DMARC checks on inbound email and educating employees, the prevalence of online fraudsters and their BEC cons can be minimized. In addition, Implementing DMARC on outbound email will reduce of your brand being used in a BEC scam, potentially damaging your business reputation.

At MxToolbox, our email experts have created several tools and services to safeguard your business and increase its email deliverability. Check out our various products to help protect your company’s email reputation.

Our Commitment to Free Tools

MxToolbox started out as a simple set of free tools for IT and Email administrators. Most of our customers used our original DNS, MX and Blacklist lookups to verify their website and email setup and understand why email wasn’t going through. Since those days, we’ve committed to continually adding useful free tools to help IT and Email professionals with their daily tasks. From A record (and AAAA record) lookups to Whois Lookup, we have you covered (and if there is a tool we’re missing, we encourage you to let us know).

Not only do we have a comprehensive list of tools, we continue to expand it: when we find a tool we need, we add it to the list. For example, we recently added the:

MTA-STS Lookup: This test checks a domain or hostname for an MTA-Strict Transport Security (MTA-STS) DNS TXT record and also for a valid MTA-STS policy.

Organize your MxToolbox Tools

We understand that not all our tools are for everyone, and that you use different groups of tools for different tasks: email, security, setup, etc. For your convenience, we organized our tools into categories:

  • All Tools: Every available free tool is housed under this tab.
  • Email: For email problems, this tab is your best bet
  • Network: To address potential network issues, try these tools.
  • Website: If you have any website queries, this tab provides answers.
  • DNS: You can find all tools related to DNS here.
  • New: This tab shows the most recent additions to our expanding toolbox.
  • My Favorite Tools: Your customized favorites list. For more information, see the corresponding section below. Learn how to setup your favorites

For a complete list of our free tools, click here. We always enjoy questions/feedback, so let us know about your MxToolbox tools experience. Be sure to use our tools to improve your email delivery rates!

Google and Yahoo are upping their game in 2024!

In the on-going battle against spam, Google and Yahoo have announced new standards for 2024 that will help protect their inboxes and curtail spam intrusions. This is great news for legitimate email senders who abide by email best practices as we expect other Inbox Providers and email services to follow their lead. However, your business may need to adapt to these new standards or risk missing the Inbox.

Google and Yahoo to Require SPF, DKIM, and DMARC

For Google, if your business sends more than 5,000 messages to Gmail addresses, you must adopt SPF, DKIM, and DMARC by February 2024. Yahoo will apply the same trio of requirements to “bulk senders” in the first quarter of 2024, though they have not defined what constitutes a bulk sender.

The new email requirements include both SPF and DKIM records for authenticating email-sending domains, a DMARC record for the domain, and a “From” header that matches either the SPF or DMARC record, known as “alignment.” In addition, marketers must keep spam rates below 0.3% and provide the ability to unsubscribe with a single click if the recipient chooses.

What does this mean for your business?

Google’s and Yahoo’s requirements are a critical move to reinforce your company’s email best practices. With the two largest email providers taking major steps to secure inboxes, more Inbox Providers will adopt similar DMARC policies in the future. Getting prepared will be key.

If your company has already enabled SPF, DKIM and DMARC, you get a boost. Your messages will have to compete with fewer poorly configured emails or spam messages. Your email has protection against impersonation through better authentication and, with DMARC, you are able to see SPF and DKIM configuration issues that would put your email delivery at risk and detect spammers attempting to use your domain for fraud of phishing. If you have not configured SPF, DKIM and DMARC, you have a short window to get prepared. Regardless of your SPF, DKIM and DMARC configuration, however, the requirement to maintain a low rate of being marked as “spam” could really hurt you if you are purchasing email lists.

How Can MxToolbox Help?

With these upcoming changes to Google and Yahoo, now is the perfect time to use our various tools and products to improve your email deliverability!

Since DMARC will soon be a requirement for those providers, MxToolbox Delivery Center will help your sending domain achieve the best possible email delivery rates, including managing your DMARC setup. In addition, our Inbox Placement feature will tell you if your campaigns are being sent to the Spam/Junk folders or actually making it to inboxes, as well as which Inbox Provider(s) you are having trouble sending to.

MxToolbox is the Expert on email delivery. We offer a wide range of free and subscribed options, so be proactive now and take advantage of them before these new 2024 guidelines are applied to your outgoing newsletters and marketing campaigns.

Seriously, Stop Buying Email Lists

In the early days of the Internet, purchasing a list of email addresses was a legitimate business tactic. Lists were a new thing, sending an email was basically free, email servers accepted almost all email and spam was not much of a problem.

Spam Unsolicited email that is sent in bulk.

Let me say this unequivocally, if you purchase and use email lists, You Are A Spammer. Any email sent in bulk that was not opted into by the recipient is considered spam. If you have zero prior contact with this email address, you are spamming it. It does not matter if you have a legitimate business and that you are not trying to scam the recipient, your email is still unwanted. Think of email spam as equivalent to the pile of unwanted ads in your regular mailbox. You didn’t ask for it and it wastes your time and resources to get rid of it.

Inbox Providers Have Ramped Up Spam Defenses

The main goal for Inbox Providers is to protect their users by eliminating irrelevant, unwanted and dangerous emails. Over the last 20 years, Inbox Providers have applied multiple layers of defenses around their inboxes:

  • Checking senders against Blacklists/Blocklists
  • Refusing non-TLS encrypted email
  • Checking SPF, DKIM and DMARC configurations and then bouncing non-compliant email
  • Scanning email attachments for malware
  • Scanning email links for potential malware websites
  • Checking content for known spammy verbiage
  • Deprioritizing email campaigns sent to closed, unused, or non-existent accounts
  • Aggregating sentiment across recipients

Now, using Aggregate Sentiment algorithms and AI, Inbox Providers can detect campaigns that have low relevance, start from purchased lists, or are likely to be marked as spam and drop the entire campaign in the spam folder. Further, some senders dependent on purchased email lists have reported all email from their domain being binned – essentially burning out their sending domain.

What can you do?

The first thing you need to do it stop depending on purchased email lists for prospecting, continuing to do so could burn out your domain reputation. To do this, you need to look at other methods for lead generation:

  • Online advertising
  • Word of mouth
  • Social media advertising
  • Opt-in email newsletters

How can MxToolbox help?

If you have burned out your sending domain, MxToolbox can help you setup a new email sending domain, configure email best practices, etc. however, you must change your email practices or this will happen again. DMARC, and a DMARC management tool like MxToolbox Delivery Center will help your sending domain achieve the best possible email delivery. In addition, our Inbox Placement feature will tell you if your campaigns are being dumped into the spam folder or making it to the Inbox and analyze your email for potential inbox placement issues.

Uncover your Email Problems with our Email Delivery Tools

Email delivery is probably the most important connection between Marketing Art and Information Technology. Whether your email is driving sales, connecting to vendors or simply for internal communications, an email that fails to make the Inbox is a failure of communications that can cost your business.

Email Health

A tool that is often overlooked yet is highly beneficial for your email deliverability is our Email Health Report. This tool executes hundreds of domain/email/network setup tests to ensure all of your systems are online and performing optimally. The report returns results for your domain and highlights critical problem areas that need to be resolved.

  • Get full visibility of your email’s health status in one concise report.
  • Identify every problem facing your email, including blacklist, mail server, web server, and DNS issues.
  • Be proactive about email health and detect any current email issues before they cause email failures.

Major MxToolbox Email Delivery Tools

Email delivery is a constantly changing technology landscape. Inbox providers change policies and technologies to protect their users and spammers change methods to get their unwanted messages read. MxToolbox is the Expert in Email Delivery and provides tools to better help you understand your legitimate email delivery issues.

  • Blocklist (IP or Host): The blocklist check tests a mail server’s IP address against over 100 DNS-based email blocklists.
  • DMARC Delivery Report: This tool creates comprehensive DMARC reports, providing insight into potential issues and any needed changes to your DMARC policy.
  • DMARC Report Analyzer: This option makes DMARC Aggregate XML reports human readable by parsing and aggregating them by IP address into helpful reports.
  • Email Bounceback Analyzer: This analyzer returns details regarding the bounce error, such as the inbox provider, why the message bounced, and additional information to help remedy the issue.
  • MTA-STS Lookup: This test checks a domain or hostname for an MTA-Strict Transport Security (MTA-STS) DNS TXT record and also for a valid MTA-STS policy.
  • Spam Analyzer: This tool uses the SpamAssassin software to analyze your message and return a spam score from over 711 various criteria.

Inbox Placement Analysis

Our Inbox Placement tool analyzes your campaign emails before you send them. We determine if the email will make the inbox at major Inbox Providers like Google, Yahoo! and We also analyze important technology and soft factors like:

  • DMARC Compliance
  • Broken or copious links
  • Wordiness
  • Broken or too many images
  • Spammy verbiage
  • Other indicators of spam

Inbox Placement is a feature of all paid Delivery Center plans, so you can test your marketing emails and improve your DMARC compliance all in one place.

Does DMARC and email deliverability seem too complicated?

MxToolbox Experts are here with a Managed Services approach to your email configuration issues.

Validity goes behind a Paywall

Validity recently announced that their Universal Feedback Loop ARF reports were no longer a free service but going to be a paid subscription. They are replacing their individual ARF reports with a free aggregate report today.

What is Validity ARF Reports?

Abuse Reporting Format (ARF) is standard that allows Inbox Providers to provide Feedback or Recipient Complaint information to legitimate email senders. The data contained in a ARF report can be as limited as the subject of the email and number of complaints or may be highly detailed information, like:

  • Date and Time of the Complaint
  • Date and Time of the Email Sent
  • Subject of the email
  • Email Addresses Unsubscribing
  • Email Addresses Complaining
  • Email Addresses Failing
  • Type of Failure or Complaint

However, Validity ARF reports only contain minimally actionable information: Subject, Date and Type of Complaint and email header with obfuscated recipient data.

Who does the change affect?

MxToolbox Delivery Center customers with a Validity Feedback Loop/Complaint integration will lose access to new Validity data on September 22, 2023. MxToolbox is investigating the value of integrating with their free aggregate version of the Universal Feedback Loop systems or terminate the integration with Validity.

Our product team is constantly evaluating the potential for new integrations to ensure that our Recipient Complaints feature provides detailed, actionable insight to our customers. While Validity ARF reports contained some actionable insight when free, the impact when compared to DMARC data and other sources of Feedback Loops will be minor to most customers.

MxToolbox’s Stance

MxToolbox has always been an advocate for improving email delivery and an early adopter of DMARC and Feedback Loop aggregation technology. Feedback Loops were intended to be used to improve the quality of email and reduce the quantity of unwanted email, so, placing Feedback Loop and Complaint information behind a paywall seems like the wrong direction. The additional costs will be especially rough for small-to-medium businesses to bear.

MxToolbox Free Email Delivery Tools

MxToolbox has always been a provider of Free Email Delivery Tools. From our early days Blacklist Lookups and Monitors have been free to use. We continue to expand our suite of free tools to help businesses improve email delivery.

Email Content is King! sort of

The essence of a good email is sending the right message to the right person at the right time. Unfortunately, many email marketers make several common mistakes:

  1. Assuming that Email is Free
  2. Assuming that “Good” content is the same for all recipient personas
  3. Assuming that more content is better

#2 and #3 are understandable. After all, your team might have spent a lot of time and effort to create quality content and you want to get your money’s worth. Reusing content, combining it with other pieces, or calling it out in different ways are marketing best practices. However, there are some other best practices that need to be adopted as well.

Generic is boring

There is an American electronics retailer that emails me several times a week. Unfortunately, the content is often the generic “We have new products!” or “We have a sale!” with a call to action that really means “search on our website (to maybe sorta, kinda see if there is anything relevant to you)”. Why should I bother? It’s lazy, generic marketing that makes me work to find any value in it. It’s a throwback to the Sunday newspaper advertisement circulars that had a little bit on sale for everyone; but that is now obsolete.

If you are sending a generic email like this, stop now. There are better ways to engage potential customers through simple segmentation or self-selected segmentation. For example, this retailer could send out an email by brand (Samsung, Apple, LG, etc), or by category (appliance, PC, mobile, smart tv, etc.), giving the recipient enough information to entice further interaction with their site. While still somewhat generic, it is more targeted and there are is direct value to open it if I resonate with that brand or product. Even better would be a tailored email of new and sale items based on prior browsing and purchase history.

Brevity is the soul of wit

Brevity is also the key to engagement. Do you read long emails from advertisers? Most people don’t. A short, direct email with a clear call to action gets more attention than a lengthy email, no matter how well written. This is easier to accomplish once you stop sending generic emails.

A picture is worth a thousand words…

And, many pictures can be confusing… One or two images per major idea should be sufficient to communicate your brand values and the ideas you need to get across. Just as with brevity in verbiage, more meaningful, connected images make a larger impact.

A broken link goes nowhere

A broken or malformed link also does you no good. Checking the number and endpoints of every link, especially calls-to-action will improve the quality of your email and may potentially save you from looking like spam.

Email Delivery

While these Best Practices are written to improve content to achieve better email performance from a marketing, they will also improve your email delivery. Inbox Providers are attempting to serve users by prioritizing relevant email. Large, generic emails, or emails with many images or links look suspicious. In addition, because these types of emails tend to have poor open rates, they are also more likely to be mistaken for spam.

How can MxToolbox Help?

Our Inbox Placement tool analyzes your campaign emails before you send them. We determine if the email will make the inbox at major Inbox Providers like Google, Yahoo! and We also analyze important technology and soft factors like:

  • DMARC Compliance
  • Broken or copious links
  • Wordiness
  • Broken or too many images
  • Spammy verbiage
  • Other indicators of spam

Inbox Placement is a feature of all Delivery Center plans, so you can test your marketing emails and improve your DMARC compliance all in one place.

Does DMARC and email deliverability seem too complicated?

MxToolbox Experts are here with a Managed Services approach to your email configuration issues.

Google expands support for BIMI: Is it time to dive in?

Google recently rolled out additional support for BIMI through their webmail application and mobile apps.  Since Google is one of the largest Inbox Providers in the world, this should be an exciting step forward for BIMI and for Marketers wanting to reach potential customers.  (For more information on BIMI, click here.)

Google’s Implementation

On and Google mobile applications, users will see a checkmark and BIMI logo next to an opened email as in the image below.  In addition, Google mobile applications will display the logo next to the sender in the Inbox view by the subject line.  BIMI logos should lead to an uptick in Open Rates and Click-through Rates because of additional confidence in the “certified” origins of these emails.

In order to have your logo displayed, Google requires you to:

  1. Setup SPF, DKIM and DMARC
  2. Have a DMARC Policy set to 100% Reject for email failing DMARC
  3. Generate and post a correct BIMI logo
  4. Have a Verified Mark Certificate (VMC)

The first two steps will dramatically improve a sender’s email delivery and email reputation.  Adopting DMARC gives Inbox Providers more assurance that your email is legitimate and not spam, while a strict DMARC policy prevents your email domain from being used in phishing and fraud attacks.  A VMC is designed to protect both Google and your brand by certifying the owner of the logo and domain.  Unfortunately, a VMC costs roughly $1100-$1500 annually per Email Sending Domain, which makes it expensive for many small businesses.

What other Inbox Providers support BIMI?

The BIMI working group has a list of all current Inbox Providers that support BIMI.  The good news is that big, global Inbox Providers like Apple, Yahoo!, and now, Google support BIMI as do several smaller or local providers like Fastmail and LaPoste.  This list appears to be growing.

Unfortunately, consistent logo display is an issue.  Many Inbox Providers only have partial support for BIMI or support different rules for displaying BIMI logos online vs via mobile applications.  In addition, many providers do not support BIMI logos in the Inbox view, where most people make the decision on whether or not to open the email.  This reduces the impact to Open Rates and subsequent downstream effects, like Click-through rates and Sales.  

MxToolbox Expert Take

Increased support for BIMI is a great sign for the technology.  After over four years of moving glacially forward, we’re hopeful that this will increase the pace of BIMI adoption.  To a Marketer, the idea of having your logo proudly displayed next to your verified email in the Inbox both increases the chance of the recipient opening the email and improves the reputation of the brand. 

There are Drawbacks

However, the current level of support does not entirely live up to that promise: few Inbox Providers display the logo in the Inbox where Open Rates will be affected. In addition, the extra expense associated with a Verified Mark Certificate might be considered burdensome for many small businesses, leaving gains to the larger businesses and brands.  While the extra security from a VMC is like that of an SSL certificate for ecommerce, the additional value BIMI provides may not be there for every brand yet.  

There are Alternatives

Finally, both Google and Microsoft already have other ways to display user images or logos in the message view of an individual email.  If the sender is a Google Workspace user, their preferred image will be displayed in the same spot as the BIMI logo.  Microsoft offers Microsoft Business Profile program to create a unique identifier card. Office Web Apps in Office 365 and use the verified icon provided to Microsoft when a company joins the program.  A savvy marketer might be able to get much of the BIMI effect from these alternatives.

MxToolbox Recommendation

Focus on the basics of Email Delivery: Technologies like SPF, DKIM and DMARC, and Best Practices in email list management and content relevance. Once your DMARC configuration is really set, then think about icing the cake with BIMI.  To get started with BIMI, check out our Knowledge Base and free BIMI Lookup tool.

Adopting DMARC and getting DMARC to a strict policy is imperative for good email delivery and adopting BIMI. Get started today with MxToolbox Delivery Center.

The Case for SPF Flattening

SPF is an integral part of email delivery.  If your email is not SPF Compliant it has little chance of reaching your intended recipient.  To be SPF Compliant, you must list all of your valid email sources in your SPF record which delegates sending authority to them.  Each provider will have a recommended list of IP addresses to include as part of their setup instructions.  Unfortunately, here’s where SPF can get complicated.

What are the limitations of SPF?

The more email sources you have, the more you need to include in your SPF record.  Many companies utilize multiple email vendors, for example:

  • Inbox Providers – Office365, Google Workspace, Exchange
  • CRMs – Salesforce, Hubspot, Zoho
  • Marketing Automation – Marketo, Eloqua, etc.
  • Order Fulfillment – Netsuite, etc.
  • Support Systems

Each of these systems will have a list of IP addresses to include in your SPF records to ensure that the email they send on your behalf is compliant.  Often, these lists include multiple additional lookups.  SPF has a hard limit of ten (10) lookups for a sending domain. Unfortunately, with even a small number of email sending vendors, it is extremely easy to hit the SPF lookup limit and put your email delivery in jeopardy

What is SPF Flattening?

SPF Flattening, SPF Refactoring, SPF Restructuring, etc. is all basically the same thing:  repacking all of the valid sending IP addresses for your domain and your senders into fewer SPF records so that every sending IP address is accurately represented and SPF lookup limits are maintained.

Types of SPF Flattening

You have two distinct choices for reducing the SPF lookups in your SPF records:  manual or automatic.  There are pros and cons for both methods we’ll discuss below.

Manual SPF Flattening

Manual SPF Flattening requires understanding all the lookups in your vendors SPF includes.  You manually take each included record, parse them out, remove duplicates and create a new SPF record.  This can be as simple as removing a few duplicate entries (Gmail is often included in many provider SPF records) or completely refactoring the list of IP addresses at the IP block level.

The advantage here is that you are intimately familiar with every IP address that your company uses to send and you can eliminate blocks of IP addresses that you are not actually sending from.  A lighter, tighter SPF record is thought to be more secure and protect from potential spoofing or fraud because it reduces the attack surface area.

Unfortunately, the disadvantages of this approach are fairly large.  Manual parsing is time-consuming and knowledge-intensive.  In addition, vendors can and will often change the pool of IP addresses they send from..  This, in turn, forces you to update your SPF records to maintain good email delivery.  Finally, manual modifications create a risk of human error or choices that could cause omission of valid sending IP addresses, further risking your email delivery.

Automatic SPF Flattening

Automatic SPF Flattening involves a script or service that hosts your SPF records for you.  An SPF Flattening service will regularly check the email sources you specify should be part of your SPF records, parse, deduplicate and refactor them to ensure a “flat” SPF record that meets the lookup restrictions on SPF.  

The advantage of a fully-automated SPF Flattening service is the low-maintenance.  Your SPF records will be constantly updated as your legitimate email senders update their sending configurations.  Need a new vendor added?  Update the SPF Flattening host configuration and it’s parsed into your records.

The main disadvantages of automated SPF Flattening are cost and control.  Some providers charge by lookup served, others by domain, while others charge for each time the records are flattened or updated.  There is also a degree of control lost when outsourcing to a 3rd party.  You are now dependent on your host for accurate SPF records, timely updates and uptime.

There are also hybrid flattening options available, where you get a one-time flattened record for a fee and continue to host your own SPF record.  These services do not have automatic update capability or hosting, but they simplify the restructuring of your SPF record and allow you to control what you put in your DNS.  The trade-off here being more maintenance but less cost and more control.  

How can MxToolbox help?

You first need to know if you have a problem before solving it.  MxToolbox offers a Free SPF Lookup Tool where you can check your real-time SPF configuration for errors, including the risk of “Too Many Includes”.  

If you have Too Many Includes in your SPF record, we also offer SPF Flattening as part of our Delivery Center Plus package.  Delivery Center Plus also provides everything else you need to manage your email delivery:

  • Inbox Placement Analysis
  • Recipient Complaint Reporting
  • DMARC Email Delivery Performance Reports
  • Email Configuration Analysis
  • Adaptive Sender Blacklist Monitoring
  • Inbound + Outbound MailFlow Monitoring
  • Domain Impersonation Protection
  • Advanced Email Delivery Threat Tools
  • SPF Flattening