{"id":4573,"date":"2025-12-22T16:23:09","date_gmt":"2025-12-22T16:23:09","guid":{"rendered":"https:\/\/emailwarmup.com\/blog\/?p=4573"},"modified":"2026-03-05T13:18:52","modified_gmt":"2026-03-05T13:18:52","slug":"spf-flattening","status":"publish","type":"post","link":"https:\/\/emailwarmup.com\/blog\/email-authentication\/spf-flattening\/","title":{"rendered":"SPF Flattening Explained \u2014 [Solving the DNS Lookup Limit Problem]"},"content":{"rendered":"\n<figure class=\"wp-block-image size-full\"><img fetchpriority=\"high\" decoding=\"async\" width=\"3448\" height=\"2195\" src=\"https:\/\/emailwarmup.com\/blog\/wp-content\/uploads\/2025\/12\/SPF-Flattening_11zon.jpg\" alt=\"SPF flattening\" class=\"wp-image-4574\"\/><\/figure>\n\n\n\n<p>SPF flattening converts domain-based mechanisms (like include:) into direct IP addresses. The technique bypasses the 10-DNS lookup limit that causes authentication failures when you use too many email services.<\/p>\n\n\n\n<p>SPF flattening helps you in many ways:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>It reduces DNS lookups by replacing includes with ip4\/ip6 entries<\/li>\n\n\n\n<li>It prevents PermError, which triggers when the limit is exceeded<\/li>\n\n\n\n<li>It keeps SPF functional as you add more sending services<\/li>\n<\/ul>\n\n\n\n<p>The approach works \u2014 but carries significant maintenance <em>risks<\/em> that make manual flattening <strong>dangerous<\/strong> for most organizations. Understanding when flattening helps (and when it backfires) prevents authentication disasters that tank your <a href=\"https:\/\/emailwarmup.com\/blog\/email-deliverability\/what-is-email-deliverability\/\">email deliverability<\/a>.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Why does SPF have a 10-lookup limit?<\/h2>\n\n\n\n<p>The SPF specification (RFC 7208) caps DNS lookups at 10 to prevent abuse.&nbsp;<\/p>\n\n\n\n<p>Without this constraint, a malicious or poorly configured record could trigger hundreds of recursive queries, overwhelming the DNS infrastructure.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Technical constraint<\/h3>\n\n\n\n<p>Every include:, a, mx, and redirect= mechanism triggers a DNS lookup during SPF evaluation. Direct IP mechanisms (ip4:, ip6:) don&#8217;t count because they require no resolution.<\/p>\n\n\n\n<figure class=\"wp-block-table\"><table class=\"has-fixed-layout\"><tbody><tr><td>Mechanism<\/td><td>Counts toward limit?<\/td><\/tr><tr><td>include:<\/td><td>Yes<\/td><\/tr><tr><td>a<\/td><td>Yes<\/td><\/tr><tr><td>mx<\/td><td>Yes<\/td><\/tr><tr><td>ptr<\/td><td>Yes (deprecated, avoid)<\/td><\/tr><tr><td>exists<\/td><td>Yes<\/td><\/tr><tr><td>redirect=<\/td><td>Yes<\/td><\/tr><tr><td>ip4:<\/td><td>No<\/td><\/tr><tr><td>ip6:<\/td><td>No<\/td><\/tr><tr><td>all<\/td><td>No<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<h3 class=\"wp-block-heading\">The math problem<\/h3>\n\n\n\n<p>Modern organizations stack email services quickly. A typical setup might include:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Zendesk (1-2 lookups)<\/li>\n\n\n\n<li>Marketing platform (2 lookups)<\/li>\n\n\n\n<li>Google Workspace (2 lookups)<\/li>\n\n\n\n<li>Salesforce (2 lookups)<\/li>\n\n\n\n<li>HubSpot (2 lookups)<\/li>\n<\/ul>\n\n\n\n<p>That&#8217;s already 9-10 lookups \u2014 and you haven&#8217;t added your transactional email provider yet.&nbsp;<\/p>\n\n\n\n<p>Each vendor&#8217;s include: statement also contains nested includes, which count against your limit. The <a href=\"https:\/\/emailwarmup.com\/blog\/email-authentication\/spf-record\/\">SPF record<\/a> basics matter here, but the lookup math catches most people off guard.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">The problem with the 11th lookup<\/h3>\n\n\n\n<p>When a receiving server hits the 11th lookup, it stops evaluating and returns PermError (permanent error). The SPF check fails completely.&nbsp;<\/p>\n\n\n\n<p>Depending on the recipient&#8217;s <a href=\"https:\/\/emailwarmup.com\/blog\/email-authentication\/dmarc\/\">DMARC policy<\/a>, your email may be rejected, quarantined, or filtered as spam \u2014 even if you&#8217;re a legitimate sender with properly authorized services.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">How does SPF flattening work?<\/h2>\n\n\n\n<p>Flattening tools (or manual effort) resolve all domain-based mechanisms to the underlying IP addresses. The result is a record that requires no additional DNS lookups because everything is already specified.<\/p>\n\n\n\n<p>The flattening sequence follows predictable steps:<\/p>\n\n\n\n<ol class=\"wp-block-list\">\n<li>Query each include: domain recursively<\/li>\n\n\n\n<li>Extract all authorized IP addresses from nested records<\/li>\n\n\n\n<li>Consolidate overlapping ranges into CIDR notation<\/li>\n\n\n\n<li>Remove deprecated mechanisms like ptr<\/li>\n\n\n\n<li>Compile everything into a single flat record<\/li>\n<\/ol>\n\n\n\n<p>So it looks something like this:<\/p>\n\n\n\n<figure class=\"wp-block-table\"><table class=\"has-fixed-layout\"><tbody><tr><td>Before flattening (4+ lookups)<\/td><td>After flattening (0 lookups)<\/td><\/tr><tr><td>include:_spf.google.com include:sendgrid.net include:mail.zendesk.com -all<\/td><td>ip4:209.85.128.0\/17 ip4:167.89.0.0\/17 ip4:192.161.144.0\/20 -all<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<p>The flattened version lists every IP range directly. Receiving servers can validate without having to query additional DNS records.<\/p>\n\n\n\n<p>The problem is that flattening significantly expands your record. DNS TXT records have a 255-character limit per string.&nbsp;<\/p>\n\n\n\n<p>A flattened record with dozens of IP ranges can exceed this, requiring record splitting across multiple strings \u2014 which reintroduces complexity and potential syntax errors.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">What are the risks of manual SPF flattening?<\/h2>\n\n\n\n<p>Manual flattening is widely discouraged among email authentication experts. The technique solves one problem while creating several others.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Stale IP addresses<\/h3>\n\n\n\n<p>Email service providers (Google, Microsoft, SendGrid) change their IP ranges frequently \u2014 sometimes monthly, sometimes without any notice.&nbsp;<\/p>\n\n\n\n<p>A manually flattened record is static. When a vendor adds new sending IPs and your record doesn&#8217;t include them, legitimate emails fail authentication.<\/p>\n\n\n\n<p>The failures are <em>silent<\/em>. You won&#8217;t know until <a href=\"https:\/\/emailwarmup.com\/blog\/email-deliverability\/sender-reputation\/\">sender reputation<\/a> goes down or customers report missing messages. By then, the damage has accumulated over days or weeks.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Maintenance burden<\/h3>\n\n\n\n<p>Manual flattening demands ongoing effort that quickly becomes unsustainable:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Regular DNS updates (monthly at a minimum)<\/li>\n\n\n\n<li>Testing after every change (to catch syntax errors)<\/li>\n\n\n\n<li>Documentation of which IPs belong to which service<\/li>\n\n\n\n<li>Monitoring every vendor&#8217;s IP changes (impossible at scale)<\/li>\n<\/ul>\n\n\n\n<p>For organizations using 5+ email services, the maintenance overhead consumes significant IT resources with no end in sight.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Human error<\/h3>\n\n\n\n<p>Long strings of IP addresses invite mistakes:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Typos in IP ranges<\/li>\n\n\n\n<li>Missing CIDR notation<\/li>\n\n\n\n<li>Accidental deletion of needed IPs<\/li>\n\n\n\n<li>Syntax errors that invalidate the entire record<\/li>\n<\/ul>\n\n\n\n<p>One wrong character can break authentication for <em>all<\/em> outbound email. The record looks valid in your DNS panel, but receiving servers reject everything.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Security concerns<\/h3>\n\n\n\n<p>Flattening often authorizes the use of broad IP ranges to stay within character limits. You might authorize \/16 blocks when only specific \/24s actually send on your behalf. Those unused portions become potential spoofing vectors if attackers gain access to any IP within your authorized ranges.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Should you use automated flattening instead?<\/h2>\n\n\n\n<p>Automated flattening services monitor vendor inclusion in real-time. When Google or Salesforce updates its IP ranges, the service detects the change and automatically updates your flattened record.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Automation benefits<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Provides an audit trail of modifications<\/li>\n\n\n\n<li>Records stay current without manual intervention<\/li>\n\n\n\n<li>Changes deploy within minutes of vendor updates<\/li>\n\n\n\n<li>Syntax is machine-generated (no typos)<\/li>\n<\/ul>\n\n\n\n<p>The &#8220;set and forget&#8221; workflow eliminates the maintenance burden that makes manual flattening so risky.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Remaining limitations<\/h3>\n\n\n\n<p>Even automated flattening doesn&#8217;t solve every problem:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Cost adds up for enterprise deployments<\/li>\n\n\n\n<li>Dependency on third-party service availability<\/li>\n\n\n\n<li>Character limits still apply (record splitting may be needed)<\/li>\n\n\n\n<li>You&#8217;re authorizing IPs, not services (visibility loss during troubleshooting)<\/li>\n<\/ul>\n\n\n\n<p>Automation is better than manual, but alternatives exist that avoid flattening entirely.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">What alternatives exist to SPF flattening?<\/h2>\n\n\n\n<p>Flattening <strong>isn&#8217;t<\/strong> the only solution. Several approaches bypass the lookup limit without converting your record to a static IP list.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Subdomain segmentation<\/h3>\n\n\n\n<p>Move different email streams to dedicated subdomains:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>marketing.example.com for campaign emails<\/li>\n\n\n\n<li>support.example.com for ticketing systems<\/li>\n\n\n\n<li>billing.example.com for transactional messages<\/li>\n<\/ul>\n\n\n\n<p>Each subdomain gets its own independent 10-lookup limit. Your main domain stays clean with minimal includes. The trade-off is managing reputation across multiple sending domains\u2014each builds (or damages) its own track record independently.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">SPF macros<\/h3>\n\n\n\n<p>Advanced configurations use the exists mechanism with macros to bypass the lookup limit entirely.&nbsp;<\/p>\n\n\n\n<p>The macro dynamically queries a specialized DNS record at send time and checks the sender&#8217;s IP address against a database. One lookup handles unlimited senders.<\/p>\n\n\n\n<p>Macros are powerful but complex to implement correctly. The <a href=\"https:\/\/emailwarmup.com\/blog\/email-authentication\/email-infrastructure\/\">email infrastructure<\/a> needed to support macro-based SPF requires expertise that most organizations lack internally.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Record pruning<\/h3>\n\n\n\n<p>Before flattening, audit what you actually need:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Remove vendors you no longer use<\/li>\n\n\n\n<li>Check if a and mx mechanisms are necessary<\/li>\n\n\n\n<li>Use <a href=\"https:\/\/emailwarmup.com\/blog\/email-authentication\/how-to-read-dmarc-reports\/\">DMARC reports<\/a> to identify unused authorized senders<\/li>\n<\/ul>\n\n\n\n<p>Sometimes the problem isn&#8217;t the limit \u2014 it&#8217;s record bloat from orphaned services that nobody remembers adding.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">DKIM reliance<\/h3>\n\n\n\n<p>DMARC requires <em>either<\/em> SPF or DKIM to pass in alignment. If SPF is problematic, ensure <a href=\"https:\/\/emailwarmup.com\/blog\/email-authentication\/dkim\/\">DKIM<\/a> is properly configured. Strong DKIM authentication provides a backup when SPF hits edge cases.<\/p>\n\n\n\n<p>The backup isn&#8217;t ideal (you want both mechanisms working), but it prevents a complete authentication failure while you sort out the SPF complexity.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">How do you check your current SPF lookup count?<\/h2>\n\n\n\n<p>Before making changes, understand your current state. Verification takes seconds with the right tools.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Lookup tools<\/h3>\n\n\n\n<p>Use an <a href=\"https:\/\/emailwarmup.com\/spf-lookup\">SPF lookup tool<\/a> to see your current lookup count. The tool recursively resolves your record and reports the total number of lookups.<\/p>\n\n\n\n<p>What to check:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Total lookup count (must be \u226410)<\/li>\n\n\n\n<li>Which mechanisms trigger lookups<\/li>\n\n\n\n<li>Deprecated mechanisms like ptr that waste lookups<\/li>\n\n\n\n<li>Nested includes (some vendors include other vendors)<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Testing changes<\/h3>\n\n\n\n<p>Before publishing any flattened or modified record:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Validate syntax with SPF testing tools<\/li>\n\n\n\n<li>Use short TTL initially (300 seconds) for quick rollback<\/li>\n\n\n\n<li>Monitor DMARC reports for unexpected failures<\/li>\n\n\n\n<li>Have a rollback plan ready<\/li>\n<\/ul>\n\n\n\n<p>The <a href=\"https:\/\/emailwarmup.com\/email-deliverability-test\">email deliverability test<\/a> can verify the authentication status after changes. If something breaks, a short TTL means the old record expires quickly from caches.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">SPF flattening solves a real problem \u2014 but carries real risks<\/h2>\n\n\n\n<p>Manual flattening is almost never worth the maintenance burden.&nbsp;<\/p>\n\n\n\n<p>Automation eliminates the risk of stale records, while subdomain segmentation and macros avoid flattening entirely.<\/p>\n\n\n\n<p>The right choice depends on your <a href=\"https:\/\/emailwarmup.com\/blog\/email-authentication\/email-infrastructure\/\">email infrastructure<\/a> complexity, technical resources, and tolerance for ongoing maintenance.\u00a0<\/p>\n\n\n\n<p>Use the <a href=\"https:\/\/emailwarmup.com\/spf-generator\">SPF generator<\/a> to create valid records, and consider an <a href=\"https:\/\/emailwarmup.com\/email-deliverability-consultant\">email deliverability consultant<\/a> if multi-vendor SPF is causing persistent authentication failures.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Frequently asked questions<\/h2>\n\n\n\n<p>Here are some commonly asked questions about SPF flattening:<\/p>\n\n\n\n<div class=\"schema-faq wp-block-yoast-faq-block\"><div class=\"schema-faq-section\" id=\"faq-question-1766420287777\"><strong class=\"schema-faq-question\">What causes SPF PermError?<\/strong> <p class=\"schema-faq-answer\">PermError occurs when SPF evaluation exceeds 10 DNS lookups, encounters a syntax error, or hits a void lookup (a domain that doesn&#8217;t exist). The result is an authentication failure \u2014 receiving servers can&#8217;t determine whether your sending IP is authorized.<\/p> <\/div> <div class=\"schema-faq-section\" id=\"faq-question-1766420295167\"><strong class=\"schema-faq-question\">Can I have more than 10 include statements?<\/strong> <p class=\"schema-faq-answer\">Not directly. Each include: counts as one lookup, and nested includes within those count too. If your includes total more than 10 lookups (including nesting), you need flattening, macros, or subdomain segmentation to stay compliant.<\/p> <\/div> <div class=\"schema-faq-section\" id=\"faq-question-1766420300384\"><strong class=\"schema-faq-question\">How often do email providers change their IP ranges?<\/strong> <p class=\"schema-faq-answer\">Major providers update IP ranges regularly \u2014 sometimes monthly, sometimes without notice. Google, Microsoft, and marketing platforms all manage dynamic infrastructure that evolves constantly. Any static record eventually goes stale.<\/p> <\/div> <div class=\"schema-faq-section\" id=\"faq-question-1766420307004\"><strong class=\"schema-faq-question\">Is flattening required for DMARC compliance?<\/strong> <p class=\"schema-faq-answer\">Flattening isn&#8217;t required, but functioning SPF is. If your SPF exceeds the lookup limit and returns PermError, SPF-based DMARC alignment fails. Flattening (or alternatives) keeps SPF valid so it can contribute to authentication alongside <a href=\"https:\/\/emailwarmup.com\/blog\/how-to-setup-dkim\/\">DKIM<\/a>.<\/p> <\/div> <\/div>\n\n\n\n<p><\/p>\n","protected":false},"excerpt":{"rendered":"<p>SPF flattening converts domain-based mechanisms (like include:) into direct IP addresses. The technique bypasses the 10-DNS lookup limit that causes authentication failures when you use too many email services. SPF flattening helps you in many ways: The approach works \u2014 but carries significant maintenance risks that make manual flattening dangerous for most organizations. Understanding when [&hellip;]<\/p>\n","protected":false},"author":2,"featured_media":4574,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_uag_custom_page_level_css":"","footnotes":""},"categories":[26],"tags":[],"class_list":["post-4573","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-email-authentication"],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v25.0 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>SPF Flattening Explained \u2014 [Solving DNS Lookup Limit Problem]<\/title>\n<meta name=\"description\" content=\"SPF flattening converts include mechanisms into IPs to bypass the 10 lookup limit. Learn when it helps, when it hurts, safer alternatives.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/emailwarmup.com\/blog\/email-authentication\/spf-flattening\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"SPF Flattening Explained \u2014 [Solving DNS Lookup Limit Problem]\" \/>\n<meta property=\"og:description\" content=\"SPF flattening converts include mechanisms into IPs to bypass the 10 lookup limit. Learn when it helps, when it hurts, safer alternatives.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/emailwarmup.com\/blog\/email-authentication\/spf-flattening\/\" \/>\n<meta property=\"og:site_name\" content=\"Email Warmup\" \/>\n<meta property=\"article:published_time\" content=\"2025-12-22T16:23:09+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2026-03-05T13:18:52+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/emailwarmup.com\/blog\/wp-content\/uploads\/2025\/12\/SPF-Flattening_11zon.jpg\" \/>\n\t<meta property=\"og:image:width\" content=\"3448\" \/>\n\t<meta property=\"og:image:height\" content=\"2195\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/jpeg\" \/>\n<meta name=\"author\" content=\"Daniyal Dehleh\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Daniyal Dehleh\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"7 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/emailwarmup.com\/blog\/email-authentication\/spf-flattening\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/emailwarmup.com\/blog\/email-authentication\/spf-flattening\/\"},\"author\":{\"name\":\"Daniyal Dehleh\",\"@id\":\"https:\/\/emailwarmup.com\/blog\/#\/schema\/person\/fb2aa8d9a54b3d4d28e96de4d49361a5\"},\"headline\":\"SPF Flattening Explained \u2014 [Solving the DNS Lookup Limit Problem]\",\"datePublished\":\"2025-12-22T16:23:09+00:00\",\"dateModified\":\"2026-03-05T13:18:52+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/emailwarmup.com\/blog\/email-authentication\/spf-flattening\/\"},\"wordCount\":1515,\"commentCount\":0,\"publisher\":{\"@id\":\"https:\/\/emailwarmup.com\/blog\/#organization\"},\"image\":{\"@id\":\"https:\/\/emailwarmup.com\/blog\/email-authentication\/spf-flattening\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/emailwarmup.com\/blog\/wp-content\/uploads\/2025\/12\/SPF-Flattening_11zon.jpg\",\"articleSection\":[\"Email Authentication\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\/\/emailwarmup.com\/blog\/email-authentication\/spf-flattening\/#respond\"]}]},{\"@type\":[\"WebPage\",\"FAQPage\"],\"@id\":\"https:\/\/emailwarmup.com\/blog\/email-authentication\/spf-flattening\/\",\"url\":\"https:\/\/emailwarmup.com\/blog\/email-authentication\/spf-flattening\/\",\"name\":\"SPF Flattening Explained \u2014 [Solving DNS Lookup Limit Problem]\",\"isPartOf\":{\"@id\":\"https:\/\/emailwarmup.com\/blog\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/emailwarmup.com\/blog\/email-authentication\/spf-flattening\/#primaryimage\"},\"image\":{\"@id\":\"https:\/\/emailwarmup.com\/blog\/email-authentication\/spf-flattening\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/emailwarmup.com\/blog\/wp-content\/uploads\/2025\/12\/SPF-Flattening_11zon.jpg\",\"datePublished\":\"2025-12-22T16:23:09+00:00\",\"dateModified\":\"2026-03-05T13:18:52+00:00\",\"description\":\"SPF flattening converts include mechanisms into IPs to bypass the 10 lookup limit. Learn when it helps, when it hurts, safer alternatives.\",\"breadcrumb\":{\"@id\":\"https:\/\/emailwarmup.com\/blog\/email-authentication\/spf-flattening\/#breadcrumb\"},\"mainEntity\":[{\"@id\":\"https:\/\/emailwarmup.com\/blog\/email-authentication\/spf-flattening\/#faq-question-1766420287777\"},{\"@id\":\"https:\/\/emailwarmup.com\/blog\/email-authentication\/spf-flattening\/#faq-question-1766420295167\"},{\"@id\":\"https:\/\/emailwarmup.com\/blog\/email-authentication\/spf-flattening\/#faq-question-1766420300384\"},{\"@id\":\"https:\/\/emailwarmup.com\/blog\/email-authentication\/spf-flattening\/#faq-question-1766420307004\"}],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/emailwarmup.com\/blog\/email-authentication\/spf-flattening\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/emailwarmup.com\/blog\/email-authentication\/spf-flattening\/#primaryimage\",\"url\":\"https:\/\/emailwarmup.com\/blog\/wp-content\/uploads\/2025\/12\/SPF-Flattening_11zon.jpg\",\"contentUrl\":\"https:\/\/emailwarmup.com\/blog\/wp-content\/uploads\/2025\/12\/SPF-Flattening_11zon.jpg\",\"width\":3448,\"height\":2195,\"caption\":\"SPF flattening\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/emailwarmup.com\/blog\/email-authentication\/spf-flattening\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/emailwarmup.com\/blog\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"SPF Flattening Explained \u2014 [Solving the DNS Lookup Limit Problem]\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/emailwarmup.com\/blog\/#website\",\"url\":\"https:\/\/emailwarmup.com\/blog\/\",\"name\":\"Email WarmUp\",\"description\":\"100% Inbox Guaranteed.\",\"publisher\":{\"@id\":\"https:\/\/emailwarmup.com\/blog\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/emailwarmup.com\/blog\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/emailwarmup.com\/blog\/#organization\",\"name\":\"Email WarmUp\",\"url\":\"https:\/\/emailwarmup.com\/blog\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/emailwarmup.com\/blog\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/emailwarmup.com\/blog\/wp-content\/uploads\/2025\/05\/Group-42350.png\",\"contentUrl\":\"https:\/\/emailwarmup.com\/blog\/wp-content\/uploads\/2025\/05\/Group-42350.png\",\"width\":400,\"height\":271,\"caption\":\"Email WarmUp\"},\"image\":{\"@id\":\"https:\/\/emailwarmup.com\/blog\/#\/schema\/logo\/image\/\"}},{\"@type\":\"Person\",\"@id\":\"https:\/\/emailwarmup.com\/blog\/#\/schema\/person\/fb2aa8d9a54b3d4d28e96de4d49361a5\",\"name\":\"Daniyal Dehleh\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/emailwarmup.com\/blog\/#\/schema\/person\/image\/\",\"url\":\"https:\/\/emailwarmup.com\/blog\/wp-content\/uploads\/2025\/05\/image-2.png\",\"contentUrl\":\"https:\/\/emailwarmup.com\/blog\/wp-content\/uploads\/2025\/05\/image-2.png\",\"caption\":\"Daniyal Dehleh\"},\"description\":\"Daniyal is an award-winning email marketing and deliverability consultant trusted by global brands like LA Fitness, Remax, and Deel. With a proven record of boosting open rates, click-throughs, and ROI by 300% or more, he is recognized as a renowned email marketing expert. For over a decade, he has refined a top-down optimization strategy that aligns technical infrastructure, creative execution, and a tight feedback loop into a system that delivers consistent results for companies of all sizes. Now, Daniyal is pulling back the curtain to share the proven frameworks and insights he\u2019s gathered\u2014helping businesses worldwide achieve the highest possible ROI from their email programs.\",\"url\":\"https:\/\/emailwarmup.com\/blog\/author\/daniyaldehleh\/\"},{\"@type\":\"Question\",\"@id\":\"https:\/\/emailwarmup.com\/blog\/email-authentication\/spf-flattening\/#faq-question-1766420287777\",\"position\":1,\"url\":\"https:\/\/emailwarmup.com\/blog\/email-authentication\/spf-flattening\/#faq-question-1766420287777\",\"name\":\"What causes SPF PermError?\",\"answerCount\":1,\"acceptedAnswer\":{\"@type\":\"Answer\",\"text\":\"PermError occurs when SPF evaluation exceeds 10 DNS lookups, encounters a syntax error, or hits a void lookup (a domain that doesn't exist). The result is an authentication failure \u2014 receiving servers can't determine whether your sending IP is authorized.\",\"inLanguage\":\"en-US\"},\"inLanguage\":\"en-US\"},{\"@type\":\"Question\",\"@id\":\"https:\/\/emailwarmup.com\/blog\/email-authentication\/spf-flattening\/#faq-question-1766420295167\",\"position\":2,\"url\":\"https:\/\/emailwarmup.com\/blog\/email-authentication\/spf-flattening\/#faq-question-1766420295167\",\"name\":\"Can I have more than 10 include statements?\",\"answerCount\":1,\"acceptedAnswer\":{\"@type\":\"Answer\",\"text\":\"Not directly. Each include: counts as one lookup, and nested includes within those count too. If your includes total more than 10 lookups (including nesting), you need flattening, macros, or subdomain segmentation to stay compliant.\",\"inLanguage\":\"en-US\"},\"inLanguage\":\"en-US\"},{\"@type\":\"Question\",\"@id\":\"https:\/\/emailwarmup.com\/blog\/email-authentication\/spf-flattening\/#faq-question-1766420300384\",\"position\":3,\"url\":\"https:\/\/emailwarmup.com\/blog\/email-authentication\/spf-flattening\/#faq-question-1766420300384\",\"name\":\"How often do email providers change their IP ranges?\",\"answerCount\":1,\"acceptedAnswer\":{\"@type\":\"Answer\",\"text\":\"Major providers update IP ranges regularly \u2014 sometimes monthly, sometimes without notice. Google, Microsoft, and marketing platforms all manage dynamic infrastructure that evolves constantly. Any static record eventually goes stale.\",\"inLanguage\":\"en-US\"},\"inLanguage\":\"en-US\"},{\"@type\":\"Question\",\"@id\":\"https:\/\/emailwarmup.com\/blog\/email-authentication\/spf-flattening\/#faq-question-1766420307004\",\"position\":4,\"url\":\"https:\/\/emailwarmup.com\/blog\/email-authentication\/spf-flattening\/#faq-question-1766420307004\",\"name\":\"Is flattening required for DMARC compliance?\",\"answerCount\":1,\"acceptedAnswer\":{\"@type\":\"Answer\",\"text\":\"Flattening isn't required, but functioning SPF is. If your SPF exceeds the lookup limit and returns PermError, SPF-based DMARC alignment fails. Flattening (or alternatives) keeps SPF valid so it can contribute to authentication alongside <a href=\\\"https:\/\/emailwarmup.com\/blog\/how-to-setup-dkim\/\\\">DKIM<\/a>.\",\"inLanguage\":\"en-US\"},\"inLanguage\":\"en-US\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"SPF Flattening Explained \u2014 [Solving DNS Lookup Limit Problem]","description":"SPF flattening converts include mechanisms into IPs to bypass the 10 lookup limit. Learn when it helps, when it hurts, safer alternatives.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/emailwarmup.com\/blog\/email-authentication\/spf-flattening\/","og_locale":"en_US","og_type":"article","og_title":"SPF Flattening Explained \u2014 [Solving DNS Lookup Limit Problem]","og_description":"SPF flattening converts include mechanisms into IPs to bypass the 10 lookup limit. Learn when it helps, when it hurts, safer alternatives.","og_url":"https:\/\/emailwarmup.com\/blog\/email-authentication\/spf-flattening\/","og_site_name":"Email Warmup","article_published_time":"2025-12-22T16:23:09+00:00","article_modified_time":"2026-03-05T13:18:52+00:00","og_image":[{"width":3448,"height":2195,"url":"https:\/\/emailwarmup.com\/blog\/wp-content\/uploads\/2025\/12\/SPF-Flattening_11zon.jpg","type":"image\/jpeg"}],"author":"Daniyal Dehleh","twitter_card":"summary_large_image","twitter_misc":{"Written by":"Daniyal Dehleh","Est. reading time":"7 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/emailwarmup.com\/blog\/email-authentication\/spf-flattening\/#article","isPartOf":{"@id":"https:\/\/emailwarmup.com\/blog\/email-authentication\/spf-flattening\/"},"author":{"name":"Daniyal Dehleh","@id":"https:\/\/emailwarmup.com\/blog\/#\/schema\/person\/fb2aa8d9a54b3d4d28e96de4d49361a5"},"headline":"SPF Flattening Explained \u2014 [Solving the DNS Lookup Limit Problem]","datePublished":"2025-12-22T16:23:09+00:00","dateModified":"2026-03-05T13:18:52+00:00","mainEntityOfPage":{"@id":"https:\/\/emailwarmup.com\/blog\/email-authentication\/spf-flattening\/"},"wordCount":1515,"commentCount":0,"publisher":{"@id":"https:\/\/emailwarmup.com\/blog\/#organization"},"image":{"@id":"https:\/\/emailwarmup.com\/blog\/email-authentication\/spf-flattening\/#primaryimage"},"thumbnailUrl":"https:\/\/emailwarmup.com\/blog\/wp-content\/uploads\/2025\/12\/SPF-Flattening_11zon.jpg","articleSection":["Email Authentication"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/emailwarmup.com\/blog\/email-authentication\/spf-flattening\/#respond"]}]},{"@type":["WebPage","FAQPage"],"@id":"https:\/\/emailwarmup.com\/blog\/email-authentication\/spf-flattening\/","url":"https:\/\/emailwarmup.com\/blog\/email-authentication\/spf-flattening\/","name":"SPF Flattening Explained \u2014 [Solving DNS Lookup Limit Problem]","isPartOf":{"@id":"https:\/\/emailwarmup.com\/blog\/#website"},"primaryImageOfPage":{"@id":"https:\/\/emailwarmup.com\/blog\/email-authentication\/spf-flattening\/#primaryimage"},"image":{"@id":"https:\/\/emailwarmup.com\/blog\/email-authentication\/spf-flattening\/#primaryimage"},"thumbnailUrl":"https:\/\/emailwarmup.com\/blog\/wp-content\/uploads\/2025\/12\/SPF-Flattening_11zon.jpg","datePublished":"2025-12-22T16:23:09+00:00","dateModified":"2026-03-05T13:18:52+00:00","description":"SPF flattening converts include mechanisms into IPs to bypass the 10 lookup limit. Learn when it helps, when it hurts, safer alternatives.","breadcrumb":{"@id":"https:\/\/emailwarmup.com\/blog\/email-authentication\/spf-flattening\/#breadcrumb"},"mainEntity":[{"@id":"https:\/\/emailwarmup.com\/blog\/email-authentication\/spf-flattening\/#faq-question-1766420287777"},{"@id":"https:\/\/emailwarmup.com\/blog\/email-authentication\/spf-flattening\/#faq-question-1766420295167"},{"@id":"https:\/\/emailwarmup.com\/blog\/email-authentication\/spf-flattening\/#faq-question-1766420300384"},{"@id":"https:\/\/emailwarmup.com\/blog\/email-authentication\/spf-flattening\/#faq-question-1766420307004"}],"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/emailwarmup.com\/blog\/email-authentication\/spf-flattening\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/emailwarmup.com\/blog\/email-authentication\/spf-flattening\/#primaryimage","url":"https:\/\/emailwarmup.com\/blog\/wp-content\/uploads\/2025\/12\/SPF-Flattening_11zon.jpg","contentUrl":"https:\/\/emailwarmup.com\/blog\/wp-content\/uploads\/2025\/12\/SPF-Flattening_11zon.jpg","width":3448,"height":2195,"caption":"SPF flattening"},{"@type":"BreadcrumbList","@id":"https:\/\/emailwarmup.com\/blog\/email-authentication\/spf-flattening\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/emailwarmup.com\/blog\/"},{"@type":"ListItem","position":2,"name":"SPF Flattening Explained \u2014 [Solving the DNS Lookup Limit Problem]"}]},{"@type":"WebSite","@id":"https:\/\/emailwarmup.com\/blog\/#website","url":"https:\/\/emailwarmup.com\/blog\/","name":"Email WarmUp","description":"100% Inbox Guaranteed.","publisher":{"@id":"https:\/\/emailwarmup.com\/blog\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/emailwarmup.com\/blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/emailwarmup.com\/blog\/#organization","name":"Email WarmUp","url":"https:\/\/emailwarmup.com\/blog\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/emailwarmup.com\/blog\/#\/schema\/logo\/image\/","url":"https:\/\/emailwarmup.com\/blog\/wp-content\/uploads\/2025\/05\/Group-42350.png","contentUrl":"https:\/\/emailwarmup.com\/blog\/wp-content\/uploads\/2025\/05\/Group-42350.png","width":400,"height":271,"caption":"Email WarmUp"},"image":{"@id":"https:\/\/emailwarmup.com\/blog\/#\/schema\/logo\/image\/"}},{"@type":"Person","@id":"https:\/\/emailwarmup.com\/blog\/#\/schema\/person\/fb2aa8d9a54b3d4d28e96de4d49361a5","name":"Daniyal Dehleh","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/emailwarmup.com\/blog\/#\/schema\/person\/image\/","url":"https:\/\/emailwarmup.com\/blog\/wp-content\/uploads\/2025\/05\/image-2.png","contentUrl":"https:\/\/emailwarmup.com\/blog\/wp-content\/uploads\/2025\/05\/image-2.png","caption":"Daniyal Dehleh"},"description":"Daniyal is an award-winning email marketing and deliverability consultant trusted by global brands like LA Fitness, Remax, and Deel. With a proven record of boosting open rates, click-throughs, and ROI by 300% or more, he is recognized as a renowned email marketing expert. For over a decade, he has refined a top-down optimization strategy that aligns technical infrastructure, creative execution, and a tight feedback loop into a system that delivers consistent results for companies of all sizes. Now, Daniyal is pulling back the curtain to share the proven frameworks and insights he\u2019s gathered\u2014helping businesses worldwide achieve the highest possible ROI from their email programs.","url":"https:\/\/emailwarmup.com\/blog\/author\/daniyaldehleh\/"},{"@type":"Question","@id":"https:\/\/emailwarmup.com\/blog\/email-authentication\/spf-flattening\/#faq-question-1766420287777","position":1,"url":"https:\/\/emailwarmup.com\/blog\/email-authentication\/spf-flattening\/#faq-question-1766420287777","name":"What causes SPF PermError?","answerCount":1,"acceptedAnswer":{"@type":"Answer","text":"PermError occurs when SPF evaluation exceeds 10 DNS lookups, encounters a syntax error, or hits a void lookup (a domain that doesn't exist). The result is an authentication failure \u2014 receiving servers can't determine whether your sending IP is authorized.","inLanguage":"en-US"},"inLanguage":"en-US"},{"@type":"Question","@id":"https:\/\/emailwarmup.com\/blog\/email-authentication\/spf-flattening\/#faq-question-1766420295167","position":2,"url":"https:\/\/emailwarmup.com\/blog\/email-authentication\/spf-flattening\/#faq-question-1766420295167","name":"Can I have more than 10 include statements?","answerCount":1,"acceptedAnswer":{"@type":"Answer","text":"Not directly. Each include: counts as one lookup, and nested includes within those count too. If your includes total more than 10 lookups (including nesting), you need flattening, macros, or subdomain segmentation to stay compliant.","inLanguage":"en-US"},"inLanguage":"en-US"},{"@type":"Question","@id":"https:\/\/emailwarmup.com\/blog\/email-authentication\/spf-flattening\/#faq-question-1766420300384","position":3,"url":"https:\/\/emailwarmup.com\/blog\/email-authentication\/spf-flattening\/#faq-question-1766420300384","name":"How often do email providers change their IP ranges?","answerCount":1,"acceptedAnswer":{"@type":"Answer","text":"Major providers update IP ranges regularly \u2014 sometimes monthly, sometimes without notice. Google, Microsoft, and marketing platforms all manage dynamic infrastructure that evolves constantly. Any static record eventually goes stale.","inLanguage":"en-US"},"inLanguage":"en-US"},{"@type":"Question","@id":"https:\/\/emailwarmup.com\/blog\/email-authentication\/spf-flattening\/#faq-question-1766420307004","position":4,"url":"https:\/\/emailwarmup.com\/blog\/email-authentication\/spf-flattening\/#faq-question-1766420307004","name":"Is flattening required for DMARC compliance?","answerCount":1,"acceptedAnswer":{"@type":"Answer","text":"Flattening isn't required, but functioning SPF is. If your SPF exceeds the lookup limit and returns PermError, SPF-based DMARC alignment fails. Flattening (or alternatives) keeps SPF valid so it can contribute to authentication alongside <a href=\"https:\/\/emailwarmup.com\/blog\/how-to-setup-dkim\/\">DKIM<\/a>.","inLanguage":"en-US"},"inLanguage":"en-US"}]}},"uagb_featured_image_src":{"full":["https:\/\/emailwarmup.com\/blog\/wp-content\/uploads\/2025\/12\/SPF-Flattening_11zon.jpg",3448,2195,false],"thumbnail":["https:\/\/emailwarmup.com\/blog\/wp-content\/uploads\/2025\/12\/SPF-Flattening_11zon.jpg",150,95,false],"medium":["https:\/\/emailwarmup.com\/blog\/wp-content\/uploads\/2025\/12\/SPF-Flattening_11zon.jpg",300,191,false],"medium_large":["https:\/\/emailwarmup.com\/blog\/wp-content\/uploads\/2025\/12\/SPF-Flattening_11zon.jpg",768,489,false],"large":["https:\/\/emailwarmup.com\/blog\/wp-content\/uploads\/2025\/12\/SPF-Flattening_11zon.jpg",1024,652,false],"1536x1536":["https:\/\/emailwarmup.com\/blog\/wp-content\/uploads\/2025\/12\/SPF-Flattening_11zon.jpg",1536,978,false],"2048x2048":["https:\/\/emailwarmup.com\/blog\/wp-content\/uploads\/2025\/12\/SPF-Flattening_11zon.jpg",2048,1304,false],"profile_24":["https:\/\/emailwarmup.com\/blog\/wp-content\/uploads\/2025\/12\/SPF-Flattening_11zon.jpg",24,15,false],"profile_48":["https:\/\/emailwarmup.com\/blog\/wp-content\/uploads\/2025\/12\/SPF-Flattening_11zon.jpg",48,31,false],"profile_96":["https:\/\/emailwarmup.com\/blog\/wp-content\/uploads\/2025\/12\/SPF-Flattening_11zon.jpg",96,61,false],"profile_150":["https:\/\/emailwarmup.com\/blog\/wp-content\/uploads\/2025\/12\/SPF-Flattening_11zon.jpg",150,95,false],"profile_300":["https:\/\/emailwarmup.com\/blog\/wp-content\/uploads\/2025\/12\/SPF-Flattening_11zon.jpg",300,191,false]},"uagb_author_info":{"display_name":"Daniyal Dehleh","author_link":"https:\/\/emailwarmup.com\/blog\/author\/daniyaldehleh\/"},"uagb_comment_info":0,"uagb_excerpt":"SPF flattening converts domain-based mechanisms (like include:) into direct IP addresses. The technique bypasses the 10-DNS lookup limit that causes authentication failures when you use too many email services. SPF flattening helps you in many ways: The approach works \u2014 but carries significant maintenance risks that make manual flattening dangerous for most organizations. Understanding when&hellip;","_links":{"self":[{"href":"https:\/\/emailwarmup.com\/blog\/wp-json\/wp\/v2\/posts\/4573","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/emailwarmup.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/emailwarmup.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/emailwarmup.com\/blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/emailwarmup.com\/blog\/wp-json\/wp\/v2\/comments?post=4573"}],"version-history":[{"count":2,"href":"https:\/\/emailwarmup.com\/blog\/wp-json\/wp\/v2\/posts\/4573\/revisions"}],"predecessor-version":[{"id":5008,"href":"https:\/\/emailwarmup.com\/blog\/wp-json\/wp\/v2\/posts\/4573\/revisions\/5008"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/emailwarmup.com\/blog\/wp-json\/wp\/v2\/media\/4574"}],"wp:attachment":[{"href":"https:\/\/emailwarmup.com\/blog\/wp-json\/wp\/v2\/media?parent=4573"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/emailwarmup.com\/blog\/wp-json\/wp\/v2\/categories?post=4573"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/emailwarmup.com\/blog\/wp-json\/wp\/v2\/tags?post=4573"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}