SPF record flattening

The problem of SPF record flattening and the the solution that OnDMARC offers.

Ivan Kovachev avatar
Written by Ivan Kovachev
Updated over a week ago

Problem
One of the limitations that SPF introduced is the 10 DNS lookup limit.
The issue is that a customer might be using a number of different mail service providers with each one offering an include mechanism that needs to be added in DNS in order to authenticate emails using SPF. However, this can easily breach the 10 DNS lookup limit imposed by SPF as each include statement counts towards the limit and each include might have others includes within it. Going over the limit might lead to email loss as some receiving MTA’s may give up once the limit is reached. 

Workaround
One of the solutions, or rather a workaround, is that those include statements can be broken down or statically flattened. This simply means that instead of the include statements themselves, the IP addresses behind them are put as part of the SPF record. However, this has its own limitation which is that IP addresses often change and by not having those include statements (which take care of IP address changes), your SPF record might become outdated which can again lead to email loss. 

The Real Solution
OnDMARC provides a solution to the above problem by introducing a feature called Dynamic SPF. This feature allows you to have more than the normally available number of authorized services using the SPF authentication mechanism. We give you a record that replaces all your mechanisms with a single include that dynamically combines all your authorized services correctly at the point of query. This prevents your authorized traffic from failing SPF validation.

To learn more about this feature please click on the button below.

Did this answer your question?