Free tool · Email auth
SPF flattener
Resolve nested SPF include: directives recursively. Returns a flat record with ip4: / ip6: entries only - 0 DNS lookups, always validates within RFC 7208's 10-lookup cap. No signup.
What this tool checks
We resolve every include: directive in your SPF record recursively, walking nested includes until we reach the leaf ip4: / ip6: entries. Then we return a flat record with all the IP ranges inlined - zero DNS lookups required at receive time, and guaranteed to stay under the RFC 7208 10-lookup cap.
We deduplicate IP ranges across includes (Microsoft 365 and SendGrid both ship overlapping ranges in some configurations) and surface the count so you know how compact the result is. Most flattened records land between 200 and 400 bytes - well under the 512-byte SPF practical limit.
We also report the per-include lookup cost BEFORE flattening, so you can see exactly which includes are eating your budget. Common offenders: _spf.google.com (4 lookups when nested), spf.protection.outlook.com (3), sendgrid.net (2-3), mailgun.org (2).
How to read the results
When to flatten:
- Your SPF check fails with "PermError: too many DNS lookups".
- Recipients silently quarantine your mail with
spf=permerrorin the Authentication-Results header. - You added a new vendor (e.g. SendGrid, Mailgun, Customer.io) and want to know how many lookups they'll cost before committing.
Trade-offs: A flattened record stops following upstream changes. When SendGrid rotates their sending IPs your record won't pick it up automatically. You either re-flatten on a schedule or you live with the 10-lookup limit and rely on subdomain delegation. Wiredepth Pro monitors flattened records continuously and alerts when an upstream source changes its IPs.