Free SPF Flattener
Enter any domain to recursively resolve all include: mechanisms to their underlying IP addresses, eliminating DNS lookup overhead and fixing PermError: too many DNS lookups issues.
New to SPF? Read our guide on fixing SPF lookup limits for a full explanation.
SPF flattening is not a one-time fix
The IPs resolved today may change tomorrow. Email providers like Google, Microsoft and SendGrid update their sending ranges regularly. When they do, your flattened record goes stale and legitimate emails start failing SPF. You must re-run this tool and update your DNS every time a provider changes their infrastructure.
Tired of re-flattening every month?
ShieldMarc's upcoming Dynamic SPF feature (MSP plan) keeps your SPF record automatically up to date. Just add oneinclude:spf.shieldmarc.comand you never touch it again.
Free trial, no credit card required.
What is SPF flattening?
SPF (Sender Policy Framework) records tell receiving mail servers which IP addresses are authorised to send email on behalf of your domain. Most SPF records use include: mechanisms to reference third-party senders like Google Workspace, Microsoft 365, and SendGrid. Each include: causes a DNS lookup, and RFC 7208 limits SPF processing to 10 DNS lookups total.
SPF flattening resolves those includes at analysis time, replacing them with the actual IP addresses they expand to. The result is a flattened SPF record that contains only ip4: and ip6: entries, with no DNS lookups required at delivery time.
The SPF 10 lookup limit (PermError)
RFC 7208 §4.6.4 states that SPF evaluation must abort after 10 DNS lookups. If your record causes more than 10 lookups, receivers return a PermError, a permanent failure that tells the receiving server your SPF record is invalid. The consequence is the same as having no SPF record at all: emails may be marked as spam or rejected outright.
Common causes of exceeding the limit: using many third-party email providers (each with their own include:), chained includes (an include that itself includes other domains), and mx: and a: mechanisms that each trigger a lookup.
Why SPF flattening requires ongoing maintenance
The critical caveat with SPF flattening: it is not a one-time fix. When you flatten an SPF record, you capture the IPs that your email providers use today. Email providers routinely add, remove or rotate IP addresses (sometimes weekly) to manage delivery infrastructure, handle growth, or respond to abuse reports.
When a provider adds a new IP range that isn't in your flattened record, legitimate emails sent from that IP will fail SPF. You'll have a window where emails are being marked as spam or rejected before you realise the record is stale.
Best practice: monitor provider change announcements, set a monthly calendar reminder to re-flatten, and use our DMARC dashboard to catch SPF failures as they happen.
The better solution: Dynamic SPF
The industry-standard alternative to manual flattening is a Dynamic SPF service. Instead of resolving everything to static IPs, you publish a single include like include:spf.shieldmarc.com and the service maintains the underlying IP list automatically, updating as providers change their infrastructure.
ShieldMarc's Dynamic SPF feature is coming soon to the MSP plan, and it will be included at no additional charge as part of our commitment to always ship new capabilities to top-tier customers first. Start your MSP trial →
Will DMARC still pass if SPF fails?
Yes. DMARC requires only one of SPF or DKIM to align. If your DKIM is correctly configured and the signing domain aligns with your From: header, DMARC will pass even when SPF fails. That said, relying solely on DKIM is fragile. SPF provides an additional layer of protection, and some receiving systems weight SPF failures negatively even when DMARC passes.
Want the full picture?
Our Security Grade scans DMARC, SPF, SSL/TLS, DNSSEC, registration, and expiry across your primary and alternate brand domains in one click.
Frequently Asked Questions
Is SPF flattening safe?
SPF flattening is safe as a diagnostic tool, but publishing a flattened record requires ongoing maintenance. Email providers regularly change their IP ranges, so a flattened record can become stale and cause legitimate emails to fail SPF. Always re-flatten regularly or use a dynamic SPF service.
What counts as a DNS lookup in SPF?
The include:, a:, mx:, ptr:, exists:, and redirect= mechanisms each cause one DNS lookup. The ip4: and ip6: mechanisms do not count because they contain literal addresses.
Can I have more than one SPF record?
No. RFC 7208 requires exactly one SPF TXT record per domain. If multiple SPF records exist, the result is a PermError and SPF evaluation fails entirely. If you need to authorise multiple senders, combine them into a single record using include: mechanisms.
Does SPF affect my Security Grade?
Yes. SPF feeds into several Security Grade checks: having an SPF record at all, using a restrictive all-qualifier (-all or ~all), and staying within the 10 DNS lookup limit. Run the Security Grade Checker to see where your domain stands.