Monthly Archives: May 2023

The Case for SPF Flattening

SPF is an integral part of email delivery.  If your email is not SPF Compliant it has little chance of reaching your intended recipient.  To be SPF Compliant, you must list all of your valid email sources in your SPF record which delegates sending authority to them.  Each provider will have a recommended list of IP addresses to include as part of their setup instructions.  Unfortunately, here’s where SPF can get complicated.

What are the limitations of SPF?

The more email sources you have, the more you need to include in your SPF record.  Many companies utilize multiple email vendors, for example:

  • Inbox Providers – Office365, Google Workspace, Exchange
  • CRMs – Salesforce, Hubspot, Zoho
  • Marketing Automation – Marketo, Eloqua, etc.
  • Order Fulfillment – Netsuite, etc.
  • Support Systems

Each of these systems will have a list of IP addresses to include in your SPF records to ensure that the email they send on your behalf is compliant.  Often, these lists include multiple additional lookups.  SPF has a hard limit of ten (10) lookups for a sending domain. Unfortunately, with even a small number of email sending vendors, it is extremely easy to hit the SPF lookup limit and put your email delivery in jeopardy

What is SPF Flattening?

SPF Flattening, SPF Refactoring, SPF Restructuring, etc. is all basically the same thing:  repacking all of the valid sending IP addresses for your domain and your senders into fewer SPF records so that every sending IP address is accurately represented and SPF lookup limits are maintained.

Types of SPF Flattening

You have two distinct choices for reducing the SPF lookups in your SPF records:  manual or automatic.  There are pros and cons for both methods we’ll discuss below.

Manual SPF Flattening

Manual SPF Flattening requires understanding all the lookups in your vendors SPF includes.  You manually take each included record, parse them out, remove duplicates and create a new SPF record.  This can be as simple as removing a few duplicate entries (Gmail is often included in many provider SPF records) or completely refactoring the list of IP addresses at the IP block level.

The advantage here is that you are intimately familiar with every IP address that your company uses to send and you can eliminate blocks of IP addresses that you are not actually sending from.  A lighter, tighter SPF record is thought to be more secure and protect from potential spoofing or fraud because it reduces the attack surface area.

Unfortunately, the disadvantages of this approach are fairly large.  Manual parsing is time-consuming and knowledge-intensive.  In addition, vendors can and will often change the pool of IP addresses they send from..  This, in turn, forces you to update your SPF records to maintain good email delivery.  Finally, manual modifications create a risk of human error or choices that could cause omission of valid sending IP addresses, further risking your email delivery.

Automatic SPF Flattening

Automatic SPF Flattening involves a script or service that hosts your SPF records for you.  An SPF Flattening service will regularly check the email sources you specify should be part of your SPF records, parse, deduplicate and refactor them to ensure a “flat” SPF record that meets the lookup restrictions on SPF.  

The advantage of a fully-automated SPF Flattening service is the low-maintenance.  Your SPF records will be constantly updated as your legitimate email senders update their sending configurations.  Need a new vendor added?  Update the SPF Flattening host configuration and it’s parsed into your records.

The main disadvantages of automated SPF Flattening are cost and control.  Some providers charge by lookup served, others by domain, while others charge for each time the records are flattened or updated.  There is also a degree of control lost when outsourcing to a 3rd party.  You are now dependent on your host for accurate SPF records, timely updates and uptime.

There are also hybrid flattening options available, where you get a one-time flattened record for a fee and continue to host your own SPF record.  These services do not have automatic update capability or hosting, but they simplify the restructuring of your SPF record and allow you to control what you put in your DNS.  The trade-off here being more maintenance but less cost and more control.  

How can MxToolbox help?

You first need to know if you have a problem before solving it.  MxToolbox offers a Free SPF Lookup Tool where you can check your real-time SPF configuration for errors, including the risk of “Too Many Includes”.  

If you have Too Many Includes in your SPF record, we also offer SPF Flattening as part of our Delivery Center Plus package.  Delivery Center Plus also provides everything else you need to manage your email delivery:

  • Inbox Placement Analysis
  • Recipient Complaint Reporting
  • DMARC Email Delivery Performance Reports
  • Email Configuration Analysis
  • Adaptive Sender Blacklist Monitoring
  • Inbound + Outbound MailFlow Monitoring
  • Domain Impersonation Protection
  • Advanced Email Delivery Threat Tools
  • SPF Flattening

Recent Yahoo DMARC Reporting Issues

Over the weekend, Yahoo! experienced issues with DMARC reporting to email senders.  DMARC processing reports appeared garbled which rendered the reports unusable.  

What is a DMARC Report?

DMARC reports are critical to understanding email delivery.  They contain XML descriptions of email delivery results sent by Inbox Providers to email senders and DMARC reporting tools.  A DMARC report details email volume, SPF, DKIM and DMARC compliance information for a domain sending to that Inbox Provider. It is important for emailers to act upon the information in a DMARC report to improve their email delivery and protect their brand.

How does this affect Email Senders?

MxToolbox Delivery Center customers and others that sent email to Yahoo! over the weekend will not have accurate information on their DMARC reports back from Yahoo! This will appear as lower than normal email volume, but this should not affect compliance rates.

It is possible that Yahoo! will resend the information now that the issue has been corrected, but it is unlikely.  It is also possible that the data is no longer available or was corrupted at the source, so users can expect a hole in the data for the weekend.

Does this make DMARC less reliable?  How does this affect DMARC reporting?

This appears to be a one-time issue with Yahoo!   The issue appears to be DMARC reporting, and not DMARC compliance processing, so this does not affect email security or the value of DMARC as an email delivery technology nor does it seem to affect inbound email.  DMARC compliant email will always be prioritized over non-compliant email by large Inbox Providers like Google, Outlook.com and Yahoo!  The main issue is a short-term lack of information from one Inbox Provider, not an issue with DMARC itself.

MxToolbox Helps You Process DMARC Reports

If you have a single, small DMARC report to checkout, MxToolbox provides a free DMARC Report Analyzer.  This will give you good insight into how compliant your email was to a single Inbox Provider over a short period of time.

Getting DMARC compliant will improve your email delivery.  To achieve DMARC compliance, you need a DMARC Reporting tool like MxToolbox Delivery Center.  Delivery Center processes, aggregates and analyzes all your DMARC reports across all Inbox Providers.  You get a single interface to understand your SPF, DKIM and DMARC compliance across all your senders.