Your SPF record triggers more than 10 DNS lookups (include, a, mx, redirect mechanisms each count as one lookup per RFC 7208 §4.6.4). Receivers that hit this limit return permerror, causing SPF to fail for all your mail. This tool resolves those mechanisms to their underlying IP addresses, producing a record with zero DNS-querying mechanisms — only ip4 and ip6 entries, which do not count toward the 10-lookup limit.
💡 Why does SPF have a 10-lookup limit?
RFC 7208 §4.6.4 limits SPF evaluation to 10 DNS queries triggered by mechanisms and modifiers. The terms that count: include, a, mx, exists (mechanisms) and redirect (modifier). Terms that do NOT count: ip4, ip6, and all. This limit exists to prevent SPF evaluation from becoming a denial-of-service vector — without it, a malicious SPF record could force a receiver to perform hundreds of recursive DNS queries per inbound message. When a receiver hits the limit, it MUST return permerror (RFC 7208 §4.6.4). Most receivers treat permerror as an SPF failure, which can cause DMARC alignment to fail and mail to be rejected or quarantined.
⏳ Solving proof-of-work challenge...
Original SPF Record
Flattened SPF Record
IP Source Attribution
Source mechanism
IPv4 addresses
IPv6 addresses
⚠️ Flattened records require maintenance
Flattened SPF records contain hardcoded IP addresses. When your email providers change their IP ranges (which happens regularly), your flattened record becomes stale — legitimate mail from new IPs will fail SPF. Mitigation options: Re-run this tool periodically (monthly recommended). Use an automated SPF management service that re-flattens on a schedule. Monitor DMARC aggregate reports for SPF failures from known providers. How to detect staleness: If your DMARC reports show SPF failures from IPs belonging to your known providers, your flattened record is likely stale.
How to publish a long SPF record
A single TXT record character-string is limited to 255 bytes (RFC 1035 §3.3.14). Records longer than this must be split into multiple strings within the same TXT record. DNS resolvers concatenate these strings automatically (RFC 7208 §3.3). Most DNS hosting providers handle this splitting automatically when you paste the full record. If yours does not, split at any whitespace boundary before the 255-byte mark. Important: Do NOT create multiple TXT records starting with v=spf1. RFC 7208 §3.2 requires exactly one SPF record per domain. Multiple records cause a permerror.