SPF Flattening is BAD!

Posted 2 years ago by Bruce Jingleson

Are you struggling with your SPF record, seeing increased volumes of email land in SPAM, or challenged with improving your DMARC Policies?  Request your free analysis from our Domain Inspector today.

SPF Flattening is BAD!

That’s right, I said it, and I’ll say it again. You can quote me on this, “SPF Flattening is BAD!”  To understand why SPF flattening is bad, we must first ask what is SPF Flattening?  SPF Flattening is the practice of replacing dynamic references embedded in your SPF record, such as those introduced using the include mechanism, with an expanded list of static IP references.  At this moment, I like to picture Cookie Monster saying, “Dynamic GOOOOOD.  Static BAAAAAAD.” 

This leads to a second question, why on earth would anyone want to use SPF Flattening? SPF imposes what’s known as the 10 Lookup Limit.  This limit is well defined in the SPF RFC, yet we see it is often exceeded.  Exceeding the 10 Lookup Limit results in SPF authentication errors that reveal themselves as permerror in your DMARC reports.  You can read more about these errors and associated risks in my blog post Top 5 SPF Configuration Errors.  SPF flattening is sometimes considered a solution for working around the SPF 10 Lookup limit, and I am here to tell you SPF Flattening is BAD!  

So, why is SPF Flattening so bad?  Let’s explore! 

Static vs. Dynamic

“Dynamic GOOOOOD.  Static BAAAAAAD.”  Everyone who has worked in IT understands this.  Static values are brittle, incur overhead to maintain, and increase operational risk.  This is especially true when we are dealing with SPF records managed by third parties who are unlikely to notify your organization of SPF record changes.  The static record you published today may be invalid tomorrow, exposing you to two scenarios: 

  1. Newly introduced IP ranges may not be authorized by your SPF record.
    This means your otherwise authorized emails may fail SPF authentication. Depending on your DMARC policies those emails may land in SPAM, be     quarantined, or be rejected. 
  2. Recently removed IP ranges no longer authorized by a third-party reference may continue to be authorized in your SPF record.
    This may result in fraudulent emails being sent from your domain, which is itself the primary driver for maintaining proper SPF and DKIM configurations with strong DMARC policies.  

We’ve seen this first-hand where an entire /16 network was authorized in a static record, but no-longer used by the third-party provider who originally required it. 

It’s a Band-Aid

SPF Flattening is kicking the can down the road for a growing problem. As organizations increase third-party dependencies, SPF record growth should be expected. SPF Flattening attempts to optimize the SPF record for a range of static IP Addresses; however, there are limits as to the length of SPF records. To work around this, SPF flattening services structure their own nested includes to fit the required IP Address ranges. We’ve seen some records with eight include statements. It is only a matter of time before additional senders are added and the 10 Lookup Limit is exceeded yet again. 

SPF Macro Expansion is way better than SPF flattening!

We’ve covered why SPF Flatting is so bad, but what is the alternative? Now we are asking the right question!  Enter SPF Macro Expansion.  SPF Macro Expansion uses macros as defined in the SPF RFC.  These macros act a bit like function calls, allowing the SPF request to be dynamically constructed based on sender detail.  When properly structured and managed, SPF Macro Expansion offers a scalable solution to the SPF 10 Lookup Limit.

The spfXio.com Managed Email Authentication platform uses SPF Macro Expansion, allowing organizations to easily authorize a virtually unlimited number of third-party SPF senders. With customizable SPF policies on a per-sender basis and Email Address Auditing capabilities, you can tailor each records to your specific needs.  spfXio.com enables your organization to enforce strong DMARC policies, providing a better granularity of control for IT departments, security professionals, and CIOs alike.  

Want to learn more about SPF Macro Expansion, schedule a spfXio.com Managed Email Authentication Demo today!