How-to

How to use SPF flattening to stay under the 10-lookup limit

SPF allows only 10 DNS lookups before it breaks. Learn how Blankitt's SPF flattening expands your include tree and produces a flattened record to keep you compliant.

2 min readLast updated 14 June 2026
Jump to section

SPF has a hard limit: an SPF record may trigger no more than 10 DNS lookups during evaluation. Exceed it and SPF returns permerror — receivers treat it as a failure, which can break DMARC alignment for mail you thought was safe. Blankitt's SPF flattening tool helps you see and solve this.

Why the 10-lookup limit bites

Each include:, a, mx, ptr, exists and redirect mechanism in your SPF record costs a lookup — and include: chains nest. A single include: for a large provider can itself pull in several more, so a record that looks short can blow the budget. Once over 10, SPF fails for everyone, everywhere.

See your real lookup tree

Open the domain on the Domains list and go to the domain detail page. The SPF flattening panel shows:

  • The recursive include tree — every nested include, expanded, so you can see exactly where your lookups are being spent.
  • A flattened version of your record with the underlying ip4/ip6 addresses resolved in place of the includes.

This makes it obvious which provider is consuming your lookup budget.

What flattening does

Flattening replaces lookup-costing mechanisms (like include:) with the actual IP ranges they resolve to. Because literal ip4/ip6 mechanisms cost zero DNS lookups, a flattened record can authorise the same senders while staying well under 10.

Before (multiple nested includes, at risk of exceeding 10 lookups):

example.com.  IN  TXT  "v=spf1 include:_spf.google.com include:sendgrid.net include:spf.protection.outlook.com ~all"

After (includes flattened to resolved IP ranges — far fewer lookups):

example.com.  IN  TXT  "v=spf1 ip4:203.0.113.0/24 ip4:198.51.100.0/22 ip6:2001:db8::/32 ~all"

Use the flattened output from the panel as the basis for your published record.

Important: flattened records can go stale

When you replace includes with fixed IPs, you take a snapshot. If a provider later changes the IP ranges behind their include:, your hard-coded list becomes wrong — some legitimate mail could start failing SPF. This is called SPF drift, and Blankitt watches for it.

Blankitt re-checks SPF automatically every day and flags drift on the domain detail page, so you know when a flattened record needs refreshing. See the separate article on SPF drift for details.

  1. Open the domain detail page and review the recursive include tree to confirm you are near or over 10 lookups.
  2. Copy the flattened record from the SPF flattening panel.
  3. Publish it as your domain's SPF TXT record at your DNS provider.
  4. Confirm legitimate senders still pass via the Offenders page.
  5. Leave the daily SPF drift check on so you are alerted if the underlying ranges change.

Tip

Only flatten providers whose ranges are stable. For fast-changing providers, keeping their include: (and trimming elsewhere) can be safer than flattening — the daily drift check is your safety net either way.

Still stuck? Email support or open the support widget in the bottom-right.