SPF Flattening

Available on: Plus Pro Elite

1. What This Feature Does

SPF Flattening resolves all include:, a:, mx:, and redirect= mechanisms in an SPF record down to explicit IP addresses (ip4: and ip6:), eliminating DNS lookups. RFC 7208 limits SPF records to 10 DNS lookups; exceeding this causes SPF validation to fail with a permerror result. This feature reduces the lookup count to zero by replacing all domain references with the IP addresses they resolve to.

CertaDNS provides SPF check, one-time flattening, and managed SPF configurations. Managed configurations include automatic flattening, automatic publishing to DNS, authorized sender management, and email service provider integration.

2. When You Should Use It

• Your SPF record exceeds the 10 DNS lookup limit and causes permerror validation failures.
• You use multiple third-party email services (Google Workspace, Mailchimp, SendGrid, etc.) and their combined SPF includes exceed the limit.
• You want to optimize email deliverability by reducing SPF validation time and eliminating lookup failures.
• You need to maintain a complex SPF configuration that automatically updates when email service providers change their IP ranges.
• You want to consolidate multiple include: statements into a single, compact SPF record.

3. When You Should Not Use It

• Simple SPF records: If your SPF record contains only a few IP addresses and stays well under the 10 lookup limit, flattening is unnecessary.
• No control over DNS: Managed SPF configurations require a zone imported into CertaDNS. If you cannot modify your domain's nameservers or delegate a zone, use the flattening tool to generate a record and apply it manually at your DNS provider.
• Frequent IP changes: If your email provider changes IPs daily, flattening may not keep pace. However, managed configs with auto-refresh (every 6 hours) mitigate this.
• No SPF record needed: If you do not send email from your domain, SPF is not required. See DMARC Reporting for email authentication best practices.

4. Prerequisites

• A CertaDNS account on the Plus, Pro, or Elite plan.
• A valid SPF record published at your domain (to use the check and flatten tools).
• For managed SPF configurations: a DNS zone imported and verified in CertaDNS. See Managed DNS Zones.
• For automatic publishing: the zone's nameservers must be set to CertaDNS's authoritative servers (ns1.certadns.com, ns2.certadns.com).

5. How It Works (Brief)

The SPF flattening algorithm parses your SPF record and recursively resolves all domain references to IP addresses. It starts by extracting the v=spf1 prefix and any direct ip4: and ip6: mechanisms. For each a: mechanism, it performs A record lookups. For each mx: mechanism, it resolves the MX host and then looks up the A and AAAA records for those hosts. For each include: mechanism, it fetches the included domain's SPF record and recursively flattens it. The redirect= mechanism is followed to a replacement SPF record. The algorithm respects a maximum recursion depth of 10 levels and a DNS timeout of 5.0 seconds per lookup. Circular references are detected and rejected.

The flattened result is a new SPF record containing only ip4: and ip6: mechanisms, followed by your chosen policy (~all, -all, +all, or ?all). All duplicate IPs are removed and IPs are sorted for consistency. The final record requires zero DNS lookups during validation.

For managed configurations, authorized senders (individual IPs, domains, or email service providers) are stored separately. Each sender caches its resolved IP addresses. When the SPF record is regenerated, all enabled senders' cached IPs are combined into a single flattened record. Managed configs can be set to auto-flatten (refresh IPs every 6 hours) and auto-publish (write the flattened record to your DNS zone automatically).

6. How to Use It

Checking an SPF record

1. Navigate to Dashboard > Email Auth > SPF.
2. In the SPF Check Tool section, enter your domain name (e.g., example.com).
3. Click Check SPF.
4. The tool displays your current SPF record text, the DNS lookup count, and whether the record exceeds the 10 lookup limit.
5. If the lookup count is red (over 10), your SPF record will fail validation. Proceed to flatten it.

Flattening an SPF record

1. In the SPF Flatten Tool section, choose your input mode:
   • Domain mode: Enter your domain name and the tool fetches the current SPF record automatically.
   • Raw record mode: Paste the SPF record text directly (e.g., v=spf1 include:_spf.google.com ~all).
2. Click Flatten SPF.
3. The tool displays:
   • The flattened SPF record text (ready to copy and paste into your DNS).
   • Original lookup count reduced to 0.
   • IPv4 and IPv6 address counts.
   • List of resolved includes and their IP addresses.
   • Any errors or warnings (e.g., large record, over 500 IPs).
4. Copy the flattened record and manually update your DNS TXT record at _spf or your root domain.

Creating a managed SPF configuration (Plus+)

1. Navigate to Dashboard > Email Auth > SPF.
2. In the SPF Config Manager section, select a zone from the zone selector dropdown, or click Import Zone if you do not have a zone yet.
3. Click Create Config.
4. In the Create SPF Configuration dialog:
   • Select your policy: ~all (softfail, recommended), -all (fail, strict), +all (pass, permissive), or ?all (neutral).
   • Optionally paste your original SPF record to import existing senders. The system will parse and flatten it automatically.
   • Enable Auto-flatten to refresh sender IPs every 6 hours.
   • Enable Auto-publish to write the flattened record to your DNS zone automatically.
5. Click Create.
6. The configuration appears in the SPF Config Manager with a sender count and DNS lookup badge (green showing 0 lookups).

Adding authorized senders (Plus+)

1. Expand the SPF configuration in the SPF Config Manager by clicking the expand icon.
2. Click Add Sender.
3. Choose the sender type:
   • IP Address (IPv4): Enter a single IPv4 address (e.g., 192.0.2.1).
   • IP Address (IPv6): Enter a single IPv6 address (e.g., 2001:db8::1).
   • Include Domain: Enter a domain (e.g., _spf.google.com). The system resolves and caches the IPs.
   • A Record: Enter a domain to resolve via A record lookup.
   • MX Record: Enter a domain to resolve via MX and subsequent A/AAAA lookups.
   • Email Provider: Select from 25 pre-configured providers (Google Workspace, Microsoft 365, SendGrid, etc.). The system uses cached provider IP ranges.
4. Click Add.
5. The sender appears in the authorized senders list with its cached IP addresses displayed.
6. Click Regenerate SPF to rebuild the flattened record with the new sender included.

Using email service providers (Plus+)

1. Click Add Sender and select Email Provider as the type.
2. Use the search bar to filter providers by name (e.g., "Google", "SendGrid").
3. Click the provider button (e.g., Google Workspace, Mailchimp, Amazon SES).
4. The provider's SPF include domain and cached IP ranges are displayed.
5. Click Add Provider to add it as an authorized sender.
6. Provider IPs are automatically refreshed every 12 hours.

Regenerating and publishing the SPF record (Plus+)

1. After adding or removing senders, click Regenerate SPF in the SPF Config Manager.
2. The system collects all enabled senders, merges their cached IPs, deduplicates, and rebuilds the flattened record.
3. The updated flattened record is displayed. Copy it manually or use the Copy button.
4. If auto-publish is enabled, the record is automatically written to your DNS zone as a TXT record at the root domain or _spf subdomain.
5. DNS updates propagate immediately to CertaDNS's authoritative nameservers with a TTL of 300 seconds (5 minutes).

Viewing and managing configurations (Plus+)

1. The SPF Config Manager lists all managed configurations grouped by zone.
2. Each configuration shows:
   • Zone name and policy (e.g., ~all).
   • Sender count (number of authorized senders).
   • DNS lookup badge (green "0 lookups" if flattened, red if over 10).
   • Last flattened timestamp.
3. Expand a configuration to view:
   • Full flattened SPF record.
   • List of authorized senders with enable/disable toggles.
   • Buttons: Regenerate SPF, Copy Record, Delete Config.

7. Inputs and Settings

SPF Check Tool

Field	Description	Constraints
Domain	The domain name to check (e.g., example.com).	Must be a valid domain with a published SPF record. No authentication required.

SPF Flatten Tool

Field	Description	Constraints
Mode	Domain mode or raw record mode.	In domain mode, provide domain name. In raw record mode, provide full SPF record text starting with v=spf1.
Domain	Domain name (domain mode only).	Must have a published SPF record.
SPF Record	Raw SPF record text (raw record mode only).	Must start with v=spf1. Must be valid SPF syntax.

Managed SPF Configuration

Field	Description	Constraints
Zone	The DNS zone to associate this SPF configuration with.	Must be an imported and verified zone. One SPF config per zone per user.
Policy	SPF policy mechanism: ~all (softfail), -all (fail), +all (pass), or ?all (neutral).	Default: ~all. Determines action when sender does not match.
Original Record	Optional. Paste your existing SPF record to import senders automatically.	Must start with v=spf1. Parsed and flattened on creation.
Auto-flatten	Enable automatic IP refresh every 6 hours.	Boolean. Default: false. Recommended for managed configs.
Auto-publish	Enable automatic DNS publishing when the record is regenerated.	Boolean. Default: false. Requires zone nameservers set to CertaDNS.

Authorized Sender

Field	Description	Constraints
Type	Sender type: ip4, ip6, include, a, mx, or provider.	Required. Determines how the sender value is resolved.
Value	IP address, domain name, or provider identifier.	Must be valid for the selected type. For ip4: valid IPv4. For ip6: valid IPv6. For include, a, mx: valid domain. For provider: select from list.
Enabled	Include this sender in the flattened record.	Boolean. Default: true. Disabled senders are ignored during regeneration.

8. Outputs and Results

SPF Check Tool Results

Output	Description
SPF Record	The full SPF record text retrieved from DNS.
DNS Lookup Count	Number of DNS lookups required. Red badge if over 10, green if 10 or under.
Character Count	Total length of the SPF record in characters.
Exceeds Limit	Boolean flag. True if lookup count exceeds 10.

SPF Flatten Tool Results

Output	Description
Flattened Record	The new SPF record with all mechanisms resolved to IPs. Includes v=spf1 prefix and policy suffix.
Original Lookup Count	DNS lookups in the original record.
Flattened Lookup Count	Always 0 after flattening.
IPv4 Addresses	Count and list of all IPv4 addresses resolved.
IPv6 Addresses	Count and list of all IPv6 addresses resolved.
Resolved Includes	List of included domains and the IPs they resolved to.
Errors	Any errors encountered during resolution (e.g., domain not found, circular reference).
Warnings	Advisory messages (e.g., record over 450 characters, over 500 IPs).

Stats Grid (Flatten Tool)

• Original Lookups: The DNS lookup count before flattening.
• After Flattening: Always 0.
• IPv4 Count: Number of unique IPv4 addresses in the flattened record.
• IPv6 Count: Number of unique IPv6 addresses in the flattened record.

Managed Configuration Display

Field	Description
Zone	The zone name associated with this config.
Policy	The SPF policy (e.g., ~all, -all).
Sender Count	Number of authorized senders.
DNS Lookup Badge	Green "0 lookups" if optimized, red if over 10 (should not occur in flattened configs).
Flattened Record	Full SPF record text ready for DNS publishing.
Last Flattened	Timestamp of the most recent regeneration.
Last Published	Timestamp of the most recent DNS publish (if auto-publish enabled).

Authorized Sender Display

Field	Description
Type	Sender type (ip4, ip6, include, a, mx, provider).
Value	The IP, domain, or provider name.
Cached IPv4	List of IPv4 addresses resolved for this sender.
Cached IPv6	List of IPv6 addresses resolved for this sender.
Enabled	Toggle. Green if enabled, gray if disabled.

9. How to Interpret Results

Normal

• SPF check shows a lookup count of 10 or fewer and no red warning badge. Your record is compliant.
• Flattened record displays 0 lookups and a list of IP addresses. The record is optimized.
• Managed config shows a green "0 lookups" badge and all senders have cached IPs. Auto-flatten and auto-publish are functioning.
• DNS queries for your domain's SPF record return the flattened record with only ip4: and ip6: mechanisms.

Unexpected or worth investigating

• Lookup count over 10 (red badge): Your SPF record will fail validation with permerror. Email receivers may reject or soft-fail messages. Flatten immediately.
• Record over 450 characters: Warning issued. SPF records over 512 characters may be truncated or rejected by some DNS resolvers. Consider splitting to multiple records (not recommended) or reducing the number of IPs.
• Over 500 IPs in flattened record: Warning issued. The record may be very large and cause DNS response size issues. Review senders and remove unused providers.
• Circular reference detected: Error during flattening. Your SPF record includes a domain that includes your domain, creating a loop. Fix the circular dependency before flattening.
• No cached IPs for a sender: The sender failed to resolve. Check DNS for the domain or provider. Re-add the sender or regenerate the config.
• Auto-publish enabled but record not published: Verify the zone's nameservers are set to CertaDNS's authoritative servers. Check for DNS propagation delays.

Common interpretation mistakes

• Assuming flattening is permanent: Flattened records become outdated when email providers change IPs. Use managed configs with auto-flatten to keep records current.
• Confusing lookup count with IP count: The 10 lookup limit refers to DNS queries during validation, not the number of IP addresses. A flattened record with 500 IPs has 0 lookups.
• Expecting instant propagation after publish: DNS changes propagate with a 300-second TTL. Some resolvers may cache longer. Wait up to 10 minutes for full propagation.
• Ignoring warnings about large records: Records over 512 characters may fail on some DNS servers. TXT records are automatically split into multiple quoted strings, but some validators reject long records. Test thoroughly.

10. Common Issues and Explanations

"SPF configuration already exists for this zone" error

Each zone can have only one SPF configuration per user. Delete the existing configuration before creating a new one, or edit the existing configuration to add/remove senders.

"SPF management requires Plus plan or higher" error (403)

SPF Flattening is a Plus, Pro, and Elite feature. Free plan users do not have access to Email Auth features. Upgrade to Plus or higher to use SPF tools and managed configurations.

"No SPF record found for {domain}" error

The domain does not have a TXT record starting with v=spf1 published in DNS. Verify the domain name is correct and that an SPF record exists. Use the SPF check tool to confirm.

"Circular reference detected" error during flattening

Your SPF record includes a domain that includes your domain (or a chain that loops back). Example: example.com includes mail.example.com, and mail.example.com includes example.com. Remove the circular dependency before flattening.

"Max recursion depth reached" error

The SPF record includes domains nested more than 10 levels deep. This exceeds the flattening algorithm's recursion limit. Simplify the SPF record structure or contact the domain owner of deeply nested includes.

Flattened record is over 450 characters and triggers a warning

Large SPF records may approach the DNS TXT record size limit. Records over 512 characters are automatically split into multiple quoted strings (e.g., "v=spf1 ip4:..." "ip4:..."), but some email validators reject long records. Reduce the number of authorized senders or remove unused email providers to shrink the record.

Auto-publish enabled but DNS still shows old record

Verify the zone's nameservers are set to ns1.certadns.com and ns2.certadns.com. If nameservers are correct, wait for the 300-second TTL to expire. Query the authoritative nameservers directly to confirm the update: dig @ns1.certadns.com example.com TXT.

Provider IPs are outdated

Email service provider IP ranges are refreshed every 12 hours. If a provider recently updated their IPs, wait for the next auto-refresh cycle or regenerate the SPF config manually. The system will fetch fresh IPs on the next refresh.

"Zone not found or access denied" error (404)

The zone ID provided does not exist or you do not have access to it. Verify you have imported the zone and that it is verified. Check the zone list in the Managed DNS Zones page.

Regenerate does not update cached IPs for a sender

Regenerate only rebuilds the flattened record from existing cached IPs. To refresh cached IPs, enable auto-flatten and wait for the next 6-hour refresh cycle, or delete and re-add the sender to force an immediate resolution.

11. Limits and Constraints

Constraint	Plus	Pro	Elite
SPF check tool	Yes	Yes	Yes
SPF flatten tool	Yes	Yes	Yes
Managed SPF configs	Yes	Yes	Yes
Auto-flatten	Yes	Yes	Yes
Auto-publish	Yes	Yes	Yes
Authorized senders	Unlimited	Unlimited	Unlimited
Email provider integration	Yes (25 providers)	Yes (25 providers)	Yes (25 providers)

Free plan users do not have access to SPF Flattening or any Email Auth features.

Technical Limits

• Maximum recursion depth: 10 levels. Prevents infinite loops and excessively nested SPF records.
• DNS timeout per lookup: 5.0 seconds. Lookups that exceed this timeout are skipped with an error.
• Warning threshold for IP count: Over 500 IPs generates a warning. Large records may cause DNS response size issues.
• Warning threshold for record length: Over 450 characters generates a warning. Records over 512 characters may fail on some DNS servers.
• TXT record split at 255 characters: DNS TXT records are split into multiple quoted strings automatically when published.
• Auto-refresh interval: Every 6 hours for SPF configurations with auto-flatten enabled.
• Provider IP refresh interval: Every 12 hours for email service provider IP ranges.
• Published record TTL: 300 seconds (5 minutes).
• One SPF configuration per zone per user: Unique constraint enforced at the database level.

12. Related Features

• Managed DNS Zones — Required to create managed SPF configurations. Import and verify your domain to enable auto-publishing.
• DKIM Key Management — Another email authentication mechanism that works alongside SPF. Use both for best deliverability.
• DMARC Reporting — Monitors SPF pass/fail rates and provides aggregate reports on email authentication status.
• DNS Record Management — SPF records are TXT records. Use this feature to manually create or edit SPF records in your zone.

13. Updates and Behavior Changes

• Email service provider list expanded to 25 providers. Previously supported 10 providers.
• Auto-refresh interval for SPF configurations reduced from 12 hours to 6 hours to improve IP freshness.
• Provider IP refresh interval remains at 12 hours but now includes retry logic for failed lookups.
• TXT record splitting for long SPF records added to support records over 255 characters. Previously, records over 255 characters were truncated.
• Circular reference detection added to flattening algorithm to prevent infinite loops during recursive resolution.