Why flatten your SPF record?

Let’s review where we got to. Our example SPF record has come from the fact that we use Office 365 for our company email, we use MailChimp for marketing newsletters, and we use AuthSMTP for our online store.

As a result of each provider’s requirement we have an SPF record that looks like it only contains three DNS lookup whereas it actually contains eight:

“v=spf1 include:spf.protection.outlook.com include:servers.mcsv.net include:authsmtp.com -all”

Now suddenly our business has engaged with a partner who’s going to handle all the emails related to our credit card processing, and they need to be added to our SPF record. Their SPF record is for MyPaymentCompany.com and includes two additional include statements for spf-a.mypaymentcompany.com and spf-b.mypaymentcompany.com.

That’s another three DNS lookups so without any warning we’ve suddenly and immediately breached the limit of ten DNS lookups. We’ve got to add the SPF record because otherwise our customers won’t get their online payment receipts. But if we add the record then all of our marketing emails and our regular business emails are going to start getting flagged as spam – because the receiving email server MUST return a PermError due to our invalid record.

Getting out of a Jam

The answer here is to do something called SPF Flattening. But as we’ll see that’s actually only half the answer.

SPF Flattening means that we take each of those SPF records and resolve them to all of their individual IP addresses. We then replace the include statements with a long list of ip4 statements which don’t require any DNS lookups and thus don’t put us at risk of being rejected.

Taking just Office 365, our SPF record would now look like this:

v=spf1 ip4:40.92.0.0/15 ip4:40.107.0.0/16 ip4:52.100.0.0/14 ip4:104.47.0.0/17 ip6:2a01:111:f400::/48 ip6:2a01:111:f403::/48 ip4:51.4.72.0/24 ip4:51.5.72.0/24 ip4:51.5.80.0/27 ip4:51.4.80.0/27 ip6:2a01:4180:4051:0800::/64 ip6:2a01:4180:4050:0800::/64 ip6:2a01:4180:4051:0400::/64 ip6:2a01:4180:4050:0400::/64 -all

That might not look great to you and me, but it looks just fine to an email server!

If we repeat this process for the MailChimp record, the AuthSMTP record and the Credit Card company’s record then suddenly we have a super long SPF record, but it’s filled with nice clean ip4 and ip6 statements, and no DNS-heavy include statements:

“v=spf1 ip4:40.92.0.0/15 ip4:40.107.0.0/16 ip4:52.100.0.0/14 ip4:104.47.0.0/17 ip6:2a01:111:f400::/48 ip6:2a01:111:f403::/48 ip4:51.4.72.0/24 ip4:51.5.72.0/24 ip4:51.5.80.0/27 ip4:51.4.80.0/27 ip6:2a01:4180:4051:0800::/64 ip6:2a01:4180:4050:0800::/64 ip6:2a01:4180:4051:0400::/64 ip6:2a01:4180:4050:0400::/64 ip4:205.201.128.0/20 ip4:198.2.128.0/18 ip4:198.2.128.0/24 ip4:198.2.132.0/22 ip4:198.2.136.0/23 ip4:198.2.145.0/24 ip4:198.2.186.0/23 ip4:205.201.131.128/25 ip4:205.201.134.128/25 ip4:205.201.136.0/23 ip4:205.201.139.0/24 ip4:198.2.177.0/24 ip4:198.2.178.0/23 ip4:198.2.180.0/24 ip4:62.13.128.0/24 ip4:62.13.129.128/25 ip4:62.13.136.0/22 ip4:62.13.140.0/22 ip4:62.13.144.0/22 ip4:62.13.148.0/23 ip4:62.13.150.0/23 ip4:62.13.152.0/23 ip4:72.52.72.32/28 -all”

So why is this only half the answer?

Well the reason that Microsoft want you to include spf.protection.outlook.com (which additionally references spfd.protection.outlook.com) is that they need to change these IP addresses from time to time. They’ll upgrade their infrastructure, change internet service providers, change their routing, any of which could result in emails leaving the Office 365 cloud from a different IP address. They can’t contact each Office 365 customer to tell them to change their SPF IP addresses every time that happens, hence why they ask you to use an include statement which references a DNS record over which they have complete control.

So if you flatten spf.protection.outlook.com today and then look again in six month’s time, I can guarantee it won’t be the same. That’s a problem because if your Office 365 emails are going out from one of Microsoft’s new IP addresses then the receiving email server, your customer’s, is going to treat it as spam. Suddenly all of your business emails are now going to your customers’ spam folders.

Hence – automated SPF Flattening from proSPF. Read on to find out more.