DNS & Auth 6 min read

Why SPF Flattening Matters for Cold Email Deliverability

Your SPF record includes everything but it's failing with permerror or temperror. Here's what the 10 DNS lookup limit is, why you're hitting it, and how to fix it.

Your SPF record exists and includes all the right services, but SPF is showing PERMERROR or TEMPERROR in email headers. Or you're getting inconsistent SPF results. When you investigate, you discover your SPF record exceeds the 10 DNS lookup limit.

Why This Happens

The SPF specification limits the number of DNS lookups to 10. Each "include" mechanism in your SPF record triggers additional DNS lookups. Those includes can themselves contain includes, which add more lookups. Complex sending setups with multiple email providers, outreach tools, and transactional email services can easily exceed 10 lookups.

When the limit is exceeded, receiving servers return a PERMERROR for SPF — treated as a fail condition. Your emails lose SPF authentication, which can cause DMARC to fail, which can result in spam placement or rejection.

How to Count DNS Lookups

Each of these SPF mechanisms counts as a DNS lookup: include, a, mx, ptr, redirect, exists. The "ip4" and "ip6" mechanisms do not count because they reference IP addresses directly.

Use the SPF checker — it shows the total lookup chain and flags if you're at or above 10. If you're at or above 10, you need to flatten.

What SPF Flattening Is

SPF flattening replaces "include" mechanisms with the actual IP addresses they resolve to. Instead of include:_spf.google.com (which requires multiple lookups), you list the specific IP ranges that Google uses for sending. This reduces DNS lookups because "ip4" entries don't count.

The Fix Path

Use an SPF flattening tool to resolve all your includes into IP addresses. Replace your current SPF record with the flattened version that lists IP addresses directly.

Important: SPF flattening requires ongoing maintenance. Email providers change their IP ranges periodically. If Google adds new IPs and your flattened record doesn't include them, SPF will fail for messages sent from those new IPs. You need to re-flatten regularly or use an automated flattening service that monitors for changes.

Alternative approach: Instead of flattening, reduce the number of includes. Do you really need every service listed? Remove any includes for services you no longer use. Verify the result with the SPF checker after any changes.

After fixing, run a placement test to confirm SPF now passes end-to-end.

When to Replace Instead of Repair

This is always repairable through DNS changes. SPF flattening is a configuration task, not an infrastructure problem.

Mistakes That Make This Worse

  • Flattening once and never updating when email providers change their IP ranges
  • Flattening incorrectly and missing IP ranges, which causes SPF failures for legitimate mail
  • Using the "ptr" mechanism, which is slow, unreliable, and counts as a lookup
  • Not knowing your lookup count and adding more includes over time until you exceed the limit

Run the checks first

Before replacing anything, run a free inbox placement test. You might find the issue is DNS, not the domain — and save yourself a week of unnecessary work.

Free inbox placement test Check burn score

More guides

SPF, DKIM, and DMARC for Cold Email: The Simple Fix GuideHow to Check if a DNS Error Is Killing Your DeliverabilityCold Email Setup Checklist: Domain, DNS, Tracking, and Sending Health