Tag Archives: SFP Flattening

The Case for SPF Flattening

SPF is an integral part of email delivery.  If your email is not SPF Compliant it has little chance of reaching your intended recipient.  To be SPF Compliant, you must list all of your valid email sources in your SPF record which delegates sending authority to them.  Each provider will have a recommended list of IP addresses to include as part of their setup instructions.  Unfortunately, here’s where SPF can get complicated.

What are the limitations of SPF?

The more email sources you have, the more you need to include in your SPF record.  Many companies utilize multiple email vendors, for example:

  • Inbox Providers – Office365, Google Workspace, Exchange
  • CRMs – Salesforce, Hubspot, Zoho
  • Marketing Automation – Marketo, Eloqua, etc.
  • Order Fulfillment – Netsuite, etc.
  • Support Systems

Each of these systems will have a list of IP addresses to include in your SPF records to ensure that the email they send on your behalf is compliant.  Often, these lists include multiple additional lookups.  SPF has a hard limit of ten (10) lookups for a sending domain. Unfortunately, with even a small number of email sending vendors, it is extremely easy to hit the SPF lookup limit and put your email delivery in jeopardy

What is SPF Flattening?

SPF Flattening, SPF Refactoring, SPF Restructuring, etc. is all basically the same thing:  repacking all of the valid sending IP addresses for your domain and your senders into fewer SPF records so that every sending IP address is accurately represented and SPF lookup limits are maintained.

Types of SPF Flattening

You have two distinct choices for reducing the SPF lookups in your SPF records:  manual or automatic.  There are pros and cons for both methods we’ll discuss below.

Manual SPF Flattening

Manual SPF Flattening requires understanding all the lookups in your vendors SPF includes.  You manually take each included record, parse them out, remove duplicates and create a new SPF record.  This can be as simple as removing a few duplicate entries (Gmail is often included in many provider SPF records) or completely refactoring the list of IP addresses at the IP block level.

The advantage here is that you are intimately familiar with every IP address that your company uses to send and you can eliminate blocks of IP addresses that you are not actually sending from.  A lighter, tighter SPF record is thought to be more secure and protect from potential spoofing or fraud because it reduces the attack surface area.

Unfortunately, the disadvantages of this approach are fairly large.  Manual parsing is time-consuming and knowledge-intensive.  In addition, vendors can and will often change the pool of IP addresses they send from..  This, in turn, forces you to update your SPF records to maintain good email delivery.  Finally, manual modifications create a risk of human error or choices that could cause omission of valid sending IP addresses, further risking your email delivery.

Automatic SPF Flattening

Automatic SPF Flattening involves a script or service that hosts your SPF records for you.  An SPF Flattening service will regularly check the email sources you specify should be part of your SPF records, parse, deduplicate and refactor them to ensure a “flat” SPF record that meets the lookup restrictions on SPF.  

The advantage of a fully-automated SPF Flattening service is the low-maintenance.  Your SPF records will be constantly updated as your legitimate email senders update their sending configurations.  Need a new vendor added?  Update the SPF Flattening host configuration and it’s parsed into your records.

The main disadvantages of automated SPF Flattening are cost and control.  Some providers charge by lookup served, others by domain, while others charge for each time the records are flattened or updated.  There is also a degree of control lost when outsourcing to a 3rd party.  You are now dependent on your host for accurate SPF records, timely updates and uptime.

There are also hybrid flattening options available, where you get a one-time flattened record for a fee and continue to host your own SPF record.  These services do not have automatic update capability or hosting, but they simplify the restructuring of your SPF record and allow you to control what you put in your DNS.  The trade-off here being more maintenance but less cost and more control.  

How can MxToolbox help?

You first need to know if you have a problem before solving it.  MxToolbox offers a Free SPF Lookup Tool where you can check your real-time SPF configuration for errors, including the risk of “Too Many Includes”.  

If you have Too Many Includes in your SPF record, we also offer SPF Flattening as part of our Delivery Center Plus package.  Delivery Center Plus also provides everything else you need to manage your email delivery:

  • Inbox Placement Analysis
  • Recipient Complaint Reporting
  • DMARC Email Delivery Performance Reports
  • Email Configuration Analysis
  • Adaptive Sender Blacklist Monitoring
  • Inbound + Outbound MailFlow Monitoring
  • Domain Impersonation Protection
  • Advanced Email Delivery Threat Tools
  • SPF Flattening