DNS & Auth 6 min read

Why SPF Flattening Matters for Cold Email Deliverability

Too many DNS lookups in your SPF record causes a hard failure. Here's how SPF flattening works and when you need it.

Your SPF record exists and includes all the right services, but SPF is showing as permerror or temperror in email headers. Or you are getting inconsistent SPF results. When you investigate, you discover your SPF record exceeds the 10 DNS lookup limit.

Why the 10 DNS lookup limit matters

The SPF specification limits the number of DNS lookups to 10. Each include: mechanism in your SPF record triggers additional DNS lookups — and those includes can themselves contain includes that add more lookups. Complex sending setups with multiple email providers, outreach tools, and transactional email services can easily exceed 10 lookups.

When the limit is exceeded, receiving servers return a permerror for SPF. This is treated as a fail condition — your emails lose SPF authentication, which can cause DMARC to fail, which can result in spam placement or rejection.

How to count your DNS lookups

Each of these SPF mechanisms counts as a DNS lookup: include, a, mx, ptr, redirect, exists. The ip4 and ip6 mechanisms do not count as lookups because they reference IP addresses directly. Use the SPF checker — it counts your total lookup chain and flags if you are over the limit.

What SPF flattening is

SPF flattening replaces include: mechanisms with the actual IP addresses they resolve to. Instead of include:_spf.google.com (which requires multiple lookups), you list the specific IP ranges that Google uses for sending. This reduces DNS lookups because ip4 entries do not count.

The fix path

Option 1: Flatten using a tool

Use an SPF flattening tool to resolve all your includes into IP addresses. Replace your current SPF record with the flattened version that lists IP addresses directly. Important: SPF flattening requires ongoing maintenance. Email providers change their IP ranges periodically. If Google adds new IPs and your flattened record does not include them, SPF will fail. Re-flatten regularly or use an automated flattening service.

Option 2: Reduce the number of includes

Do you really need every service listed? Remove any includes for services you no longer actively use from your current sending setup.

Option 3: Use subdomains

Use multiple subdomains for different sending services, each with their own SPF record. This distributes the lookups across subdomains instead of concentrating them on one record.

Repair or replace?

This is always repairable through DNS changes. SPF flattening is a configuration task, not an infrastructure problem. After fixing, verify with the SPF checker and confirm authentication passes end-to-end with the placement test.

Mistakes that make this worse

  • Flattening once and never updating
  • Not monitoring whether email providers have changed their IP ranges
  • Using the "ptr" mechanism, which is slow, unreliable, and counts as a lookup
  • Not knowing your lookup count and adding more includes over time until you exceed the limit

Run the checks first

Before replacing anything, run a free inbox placement test. You might find the issue is DNS, not the domain — and save yourself a week of unnecessary work.

Free inbox placement test Check burn score

More guides

SPF, DKIM, and DMARC for Cold Email: The Simple Fix GuideHow to Check if a DNS Error Is Killing Your DeliverabilityCold Email Setup Checklist: Domain, DNS, Tracking, and Sending Health