Free Tool - No Signup Required

SPF Flattening Tool

Getting the “SPF too many DNS lookups” error? Your SPF record is only allowed 10 lookups, and big senders blow past that. This tool swaps those lookups for the raw IP addresses, so your record fits under the limit and your email keeps passing.

We read the domain's published SPF record and recursively resolve every include/a/mx/redirect to the IP addresses it authorizes.

SPF flattening explained in plain English

What is SPF flattening?

SPF (Sender Policy Framework) is a short line of text in your DNS(Domain Name System — the internet's address book) that lists which mail servers are allowed to send email using your domain. The catch: an SPF record is only allowed to trigger 10 DNS lookups. Every outside service you add (Google, Microsoft, your newsletter tool, your helpdesk…) eats into that budget, and big senders blow right past it. Flattening replaces those lookups with the raw IP addresses they point to, so your record stays under the limit and your email keeps passing the check.

Why it matters

Think of the 10-lookup limit as a hard ceiling. The moment your SPF record needs an eleventh lookup, mail servers that receive your email stop trusting the record entirely. They report a PermError(“permanent error”) — the technical name for the “SPF too many DNS lookups” message you may have seen in a checker or a DMARC report. From that point on, your email silently fails authentication: nothing bounces, you get no warning, but more and more of your messages quietly land in spam or get rejected. Flattening fixes this by shrinking those 10+ lookups down to zero.

How to use this tool

  1. Type your domain (for example example.com) into the box above and press Flatten SPF.
  2. The tool reads your current SPF record and follows every entry down to the actual IP addresses, then builds a single flattened record for you.
  3. Click Copy to grab the flattened record.
  4. Log in to your DNS provider (Cloudflare, GoDaddy, Route 53…), open the existing SPF TXT record, and replace its value with the flattened one. Save.
  5. Wait a few minutes for DNS to update, then re-test with the SPF Checker to confirm you are under the limit.

What the results mean

The tool shows two numbers side by side. DNS lookups beforeis how many lookups your current record needs — if this is red and over 10, that is the problem. DNS lookups after is the flattened result, which should read 0/10 because raw IP addresses cost no lookups at all. Below the record you will see the IP count(how many individual sending addresses were found, split into IPv4 and IPv6) and the record's character length. A single DNS record can only hold 255 characters per string, so if your flattened record is longer the tool flags that it needs splitting— you simply break the value into multiple quoted chunks inside the same TXT record.

Read this before you flatten: it is high-maintenance

A flattened record is a frozen photoof your senders' IP addresses, taken right now. But providers like Google and Microsoft change their IPs whenever they like — without telling anyone. When they do, your frozen record goes stale: it stops recognising their new servers and your email starts failing again, silently. So flattening is not “set and forget”; you have to re-run it regularly to keep it accurate.

The better first move is almost always to clean up.Remove services you no longer use from your SPF record, and you may drop under 10 lookups without flattening at all — with nothing to maintain afterwards. Treat flattening as a last resort, and only after cleanup has not been enough. Do not let the tool talk you into more than you need.

The technical detail

SPF (Sender Policy Framework, RFC 7208) lets a domain publish the list of servers allowed to send mail on its behalf. Most records describe those senders by name — for example include:_spf.google.com, include:spf.protection.outlook.com, or mx— and each name has to be resolved with a DNS query when a receiver evaluates the record. RFC 7208 caps the number of DNS-querying mechanisms at 10. The mechanisms that count are include, a, mx, ptr, exists, and redirect, and includes count recursively, so a few third-party providers can quietly push you past the limit.

When a record exceeds 10 lookups, conformant receivers return a permerrorand treat SPF as failed. That breaks SPF authentication and DMARC alignment, which can send your mail to spam. This is the “SPF too many DNS lookups” or “too many DNS lookups” error you may have seen in a checker or a DMARC report.

What flattening does

SPF flattening replaces every include, a, and mxmechanism with the literal ip4: and ip6: addresses it resolves to. The key insight is that ip4 and ip6 mechanisms cost zero DNS lookups— the receiver reads the address directly and never queries DNS. So a record that needed 12 lookups can be reduced to 0. This tool walks your full SPF graph, follows every include and redirect, resolves the A/AAAA/MX records they point to, deduplicates the result, and builds a single v=spf1 ip4:… ip6:… <qualifier>all record while preserving your original all-qualifier (such as -all or ~all).

The maintenance trade-off

Flattening is not free. A flattened record is a static snapshot of IP addresses that your providers control and rotate at will. The moment a provider adds a new sending IP, your record stops authorizing it and legitimate mail starts failing SPF; when a provider retires an IP, your record keeps trusting an address that may later belong to someone else. Vendors do not announce these changes, so a flattened record degrades silently. If you flatten, you must re-flatten on a schedule— ideally automatically — or accept slowly worsening deliverability.

When to flatten vs. clean up

Reach for cleanup first. Remove include: entries for services you no longer use, consolidate overlapping providers, and move high-volume senders (newsletters, ticketing, transactional mail) onto dedicated sending subdomainsthat each carry their own SPF record. These changes cut lookups without creating maintenance debt and are almost always the better fix. Flatten only when you have genuinely exhausted cleanup and are still hitting permerror — and treat the flattened record as something you own and must keep current. You can verify any record with the SPF Checker, build a fresh one with the SPF Generator, or read the background on the SPF learn page.

Frequently Asked Questions

What is SPF flattening?
SPF flattening is the process of replacing the include:, a, and mx mechanisms in an SPF record with the literal ip4: and ip6: addresses they ultimately resolve to. A normal SPF record points to your senders by name (for example include:_spf.google.com), and each name costs a DNS lookup to follow. A flattened record lists the resolved IP addresses directly, so a verifier does not have to chase the chain. The result is the same set of authorized senders expressed as a flat list of IPs instead of a tree of includes.
Why does SPF have a 10 DNS lookup limit?
RFC 7208 caps the number of DNS-querying mechanisms an SPF record may trigger at 10 to protect mail servers from amplification: a maliciously nested SPF record could otherwise force a receiver to perform an unbounded number of lookups. The mechanisms that count are include, a, mx, ptr, exists, and redirect — each one is a lookup, and includes count recursively. When the total exceeds 10, conformant receivers return a permerror and your SPF effectively fails, which can hurt deliverability and DMARC alignment.
Do ip4 and ip6 mechanisms count toward the 10-lookup limit?
No. ip4: and ip6: mechanisms are literal addresses, so the receiver does not perform any DNS query to evaluate them. They cost zero lookups. That is exactly why flattening works: by converting every include/a/mx into ip4/ip6 entries, a record that needed 12 lookups can be reduced to 0. The all mechanism and qualifiers also cost nothing.
What is the downside of flattening my SPF record?
A flattened record is a static snapshot. Email providers rotate their sending IP ranges regularly and without notifying you. The moment a provider adds a new IP, your flattened record stops authorizing it and legitimate mail can be marked as spoofed; when a provider retires an old IP, your record keeps authorizing an address that may later belong to someone else. So flattening trades a clean, self-updating record for one you must re-flatten on a schedule. If you stop maintaining it, deliverability silently degrades.
When should I flatten versus clean up my SPF record?
Prefer cleaning up first. Remove include: entries for services you no longer use, consolidate overlapping providers, and move high-volume senders (newsletters, ticketing, marketing) onto dedicated sending subdomains that each have their own SPF record. These changes reduce lookups without creating maintenance debt. Flatten only when you have genuinely exhausted cleanup and are still hitting permerror — and even then, automate the re-flattening so the record stays current.
What happens to ptr and exists mechanisms when flattening?
They cannot be flattened. A ptr mechanism depends on reverse DNS of the connecting IP at validation time, and exists relies on runtime macro expansion — neither resolves to a fixed list of addresses. This tool drops them and flags a warning. ptr is also deprecated by RFC 7208 and should be removed regardless. If your policy genuinely depends on exists, flattening is not appropriate for that part of your record.

SPF Checker

Validate SPF syntax, lookup count, includes, and flattening risk.

SPF Generator

Build a clean SPF record with a live DNS lookup counter.

Learn SPF

How SPF works, the 10-lookup limit, and best practices.