Automatic Flattening
What is SPF?
Sender Policy Framework (SPF) is an email authentication protocol that helps in protecting your email domain from being spoofed. However, the SPF specification has a limit of up to 10 DNS lookups to resolve an SPF record fully. As a single email delivery service can use more than one DNS lookups, combining these services can quickly result in the limit being exceeded. For instance, outlook.com uses 8/10 records, gmail.com uses 4/10, Office 365 uses 2/10 and other web hosting providers keep adding additional records, quickly exceeding the imposed limit.
Problems Caused by SPF Errors
The biggest challenge you can face is that you will not even know when you have exceeded your SPF limit. Once you go over your DNS lookup limit, the domain validation or authentication may break, allowing threat actors to spoof or misuse your domain. This means that once the limit has been exceeded, every email that requires a DNS lookup won't achieve the complete result. You may even have many emails that fail to deliver without giving you any warning.
How to Overcome These Problems?
SPF flattening offers the most effective solution to the problems caused by the SPF lookup limit. Flattening refers to the replacement of all the domains in your SPF record with their respective IP addresses. Doing this waives the need for DNS lookups. However, there are several shortcomings associated with "manual" flattening. Email service providers may modify their IP addresses without notifying you, making your SPF record inaccurate. This can lead to various email delivery problems. To rectify this issue, you will have to monitor your service providers constantly and keep an eye out for these changes.
How can Automatic SPF Flattening Help?
KDMARC’s Automatic Flattening feature automatically flattens your SPF record, eliminating any effort on your part. You can simply opt for the Automatic Flattening on the KDMARC dashboard for always returning public DNS queries with a flattened SPF record. It also keeps it updated with modified IPs periodically.
How to Opt for Automatic Flattening on KDMARC?
To opt for the Automatic Flattening feature on KDMARC, follow these simple steps:
Step 2: Select Automatic Flattening.
So, avail KDMARC’s automatic flattening feature for hassle-free monitoring and updating your domain’s SPF record.
The way SPF works, once you exceed your DNS lookup limit, things start to break. The domain authentication or validation may break, or people may be able to spoof your domain for phishing. This means every email that needs a DNS lookup after that won't get the complete result. And since SPF comes with no error handling, you'll just have a bunch of emails that don't get delivered without any obvious warning, unless you know to look for it
Related Articles
Automatic Subdomain Discovery
KDMARC offers the Automatic Subdomain Discovery feature that analyzes the entire outbound email channel of your domain and automatically lists down all of its subdomains. You can then apply filters on specific subdomains to see the data specifically ...SMART SPF is not working
SMART SPF is designed to pick up all your previous SPF records of your domain that have been reflected over your DNS. The aim is to aid in managing your SPF without going to the DNS server. Your SMART SPF might not work due to multiple reasons. Some ...My classification is not working properly
My classification is not working properly The classification option allows a user to distinguish between threat, authorized and unclassified sources. Besides that, the option helps in establishing a better understanding of each domain. When you ...DKIM Setup for Amazon SES
When you set up Easy DKIM for an identity, Amazon SES automatically adds a 1024-bit DKIM key to every email that you send from that identity. You can configure Easy DKIM by using the Amazon SES console, or by using the API. When you successfully ...How is CNAME record different from a basic DMARC record?
In a basic DMARC record, if you need to change any policy you need to go back to the DNS. In a CNAME record, the record can be changed automatically from the KDMARC dashboard.