SPF Flattening
Made Simple

SPF records break at 10 DNS lookups. Add a few providers and you're already over. Managed SPF flattens your record to one include — and keeps it there.

Also known as SPF compression or SPF record optimization.

Check your SPF record

spf-flatten --domain example.com

$ dig TXT example.com
v=spf1 include:_spf.google.com include:spf.protection.outlook.com include:_spf.salesforce.com include:sendgrid.net include:servers.mcsv.net ~all
12 lookups--PermError: too many DNS lookups
after managed spf
$ dig TXT example.com
v=spf1 include:spf.mxio.io ~all
1 lookup--all IPs resolved, record valid

How Close Are You to the Limit?

Enter your domain. We'll count every DNS lookup in your SPF record.

Why SPF Records Break

RFC 7208 imposes a hard limit. Most businesses hit it without realizing.

Lookup Limit

SPF allows only 10 DNS lookups — across includes, redirects, and nested records. Exceed it and receivers return PermError.

550

PermError

Two Bad Outcomes

Providers reject your email outright with a 550 bounce, or silently ignore your SPF — weakening DMARC.

IPs Change

Providers Update

Email providers change their IP ranges regularly — a flattened record goes stale within days.

smtp-response

Microsoft 365:
550 5.7.23 The message was rejected because of Sender Policy Framework violation → SPF check for your-domain.com returned PermError
Google Workspace:
550-5.7.26 This mail has been blocked because the sender is unauthenticated. Gmail requires all senders to authenticate with either SPF or DKIM.
Generic SMTP:
spf=permerror — SPF result ignored, falling back to DKIM only. DMARC alignment weakened.

Real error messages from major email providers when SPF exceeds the 10-lookup limit.

How Managed SPF Works

Three steps. No ongoing maintenance.

You publish one include

Replace your complex record with a single include.

DNS TXT record

v=spf1 include:spf.mxio.io ~all

We flatten and publish

All your providers' includes are resolved to IP addresses and merged into a single flat record.

flatten-worker

resolving 5 includes...
_spf.google.com → 4 ip4 ranges
spf.protection.outlook.com → 2 ip4 ranges
_spf.salesforce.com → 3 ip4 ranges
sendgrid.net → 1 ip4 range
servers.mcsv.net → 2 ip4 ranges
published — 0 lookups, 12 IPs

We keep it updated

We continuously poll your providers for IP changes and republish automatically. From every 6 hours up to every 5 minutes depending on your plan.

monitoring

[14:30] poll cycle started
[14:30] checking 5 providers...
[14:31] change detected: _spf.google.com +1 IP
[14:31] record updated, published to Cloudflare
[14:31] next poll in 60m

Fix SPF Errors & Lookup Limits

Instant repair: PermError and lookup limit violations resolve the moment you connect. No manual DNS editing.
Deliverability: Eliminate 550 bounces from SPF failures. Your emails pass authentication at every major provider.
DMARC alignment: A valid SPF record means SPF alignment works for DMARC. No silent fallbacks, no weakened authentication.
Zero maintenance: Point one DNS record at us. We handle the flattening, the monitoring, and the updates.

Check your SPF record Build an SPF record

These Services Add Lookups to Your SPF

Every include: costs DNS lookups. Most businesses use 3–5 of these.

lookups from just 5 providers — already over the limit.

Before and After

One DNS include replaces the sprawl.

Before12 lookups

v=spf1
include:_spf.google.com
include:spf.protection.outlook.com
include:_spf.salesforce.com
include:sendgrid.net
include:servers.mcsv.net
~allPermError — exceeds 10-lookup limit

After1 lookup

v=spf1
include:spf.mxio.io
~allValid — all IPs resolved into a single flat record

Pricing

Managed SPF is included on:

Pro$59/mo

Business$129/mo

Basic plan add-on: $15/domain/mo. Start free — check and monitor your SPF for $0.

See full pricing on mxio.io

Stop managing SPF records manually.

One DNS change. No more lookup limits, no more PermError bounces, no more chasing provider IP changes.

Get Started on mxio.io

SPF FlatteningMade Simple