📋 Include Resolver · IP Extractor · Lookup Counter · Flat Record Builder

SPF Flattening Tool

Free SPF flattening tool. Recursively resolve all SPF include chains to explicit IP addresses, eliminate the RFC 7208 10-lookup limit, and get a copy-ready flattened SPF record for your DNS. Visualise the full include tree, check your current lookup count, and fix PermError failures in seconds. Uses Cloudflare DoH with Google DoH fallback. No signup required.

✓ Recursive include resolution✓ 10-lookup limit check✓ Include tree visualisation✓ Copy-ready flat record✓ -all / ~all / ?all policy

Domain or Email Address

Policy Qualifier

Recursively resolves all include: and redirect= mechanisms via Cloudflare DoH (Google DoH fallback). Deep include chains may take 5-15 seconds.

What this tool does

Free SPF flattening tool: resolve SPF include chains, fix the 10-lookup PermError, and optimise SPF records for email deliverability

How this SPF record flattener works, what the DNS lookup limit means, and when you need SPF flattening to fix email authentication failures

This free SPF flattening tool performs a complete recursive resolution of your domain's SPF record, following every include: and redirect= mechanism through all levels of nesting until all IP addresses authorised to send email on your behalf are collected. The resolution uses Cloudflare DNS over HTTPS as the primary resolver with automatic fallback to Google DNS over HTTPS. Both are globally distributed, privacy-respecting resolvers that return live DNS data. The tool resolves up to 6 levels of include chain depth, handles ip4:, ip6:, include:, redirect=, a:, and mx: mechanisms, deduplicates all resolved IPs, and builds the output record using only explicit ip4: and ip6: entries plus your chosen policy qualifier (-all, ~all, or ?all). The result is a single-line DNS TXT record that can be directly published as your domain's SPF record, requiring exactly one DNS lookup to evaluate instead of the potentially dozens required by a nested include chain.

The 10-lookup limit is defined in RFC 7208 as a hard ceiling on the number of DNS queries that may be triggered during SPF record evaluation. Each include:, a:, mx:, ptr:, exists:, and redirect= mechanism counts toward this limit. When a receiving mail server encounters more than 10 such mechanisms while evaluating your SPF record, it immediately returns a PermError status. Under a DMARC policy of p=quarantine or p=reject, this PermError is treated as an authentication failure. Meaning legitimate email from your domain is filtered to spam or rejected outright, not because it came from an unauthorised server, but purely because your SPF record is too deeply nested. This is a surprisingly common cause of enterprise email deliverability failures, particularly for organisations using five or more email service providers simultaneously.

The include tree visualisation tab shows the full recursive structure of your SPF record as a collapsible tree, with each node showing the domain, its SPF record, and how many IP addresses it contributes. This makes it immediately clear which providers are the largest contributors to your lookup count. The All IPs tab lists every resolved IPv4 and IPv6 range. The Flat Record tab shows the complete ready-to-publish SPF record with a one-click copy button. A critical maintenance note: the flattened record captures a snapshot of your providers' IP ranges at the moment of flattening. Major ESPs including Google, SendGrid, and Mailchimp regularly rotate their IP infrastructure, so a flattened record requires re-running this tool and updating your DNS every 60-90 days to avoid authorisation gaps. You can use the SPF Record Checker at any time to verify your published record is still valid and within the lookup limit.

Features and checks

Recursive Resolution

Follows include: and redirect= chains up to 6 levels deep, resolving every nested SPF record until all IPs are collected.

Cloudflare DoH

All DNS queries use Cloudflare DNS over HTTPS for low-latency, privacy-preserving, live resolution without caching delays.

Google DoH Fallback

If Cloudflare DoH is unreachable, queries automatically retry via Google Public DNS over HTTPS for high availability.

Lookup Count Check

Counts DNS-resolving mechanisms in your original record and colour-codes the result: green (safe), amber (approaching), red (exceeded).

PermError Detection

Immediately flags records with more than 10 lookups with a PermError warning and explains the deliverability impact.

IP Deduplication

All IPv4 and IPv6 ranges resolved across the full include tree are deduplicated before the flat record is built.

Policy Selector

Choose -all (hard fail), ~all (soft fail), or ?all (neutral) for the all qualifier appended to the flattened record.

Include Tree View

Collapsible tree visualisation showing each included domain, its SPF record, and how many IPs it contributes at each level.

All IPs Tab

Lists every resolved IP range as individual chips, with IPv4 and IPv6 ranges displayed separately for easy scanning.

Copy-Ready Output

One-click copy of the complete flattened SPF record formatted for immediate use as a DNS TXT record value.

Original Record Display

Shows your current published SPF record alongside the flat output so you can compare before updating DNS.

Resolve Time

Measures and displays the total resolution time in milliseconds so you can identify slow or timing-out DNS lookups.

Why it matters

Why SPF record flattening matters for email deliverability and domain security

The 10-lookup PermError is one of the most common causes of silent email delivery failures in organisations that have grown beyond a handful of email tools. It does not announce itself with a clear error message. From the sender's perspective, the email appears to send successfully. From the recipient's perspective, it may be filtered to spam or silently discarded with no bounce. The only reliable way to detect it is through DMARC aggregate reports showing a spike in SPF failures, or by checking the raw SPF result in an email header.

The root cause is architectural. SPF was designed in a simpler era when most domains had one or two mail servers. The include: mechanism was intended as a convenience to allow domain owners to delegate SPF management to their mail providers. In practice, each provider's include: often chains to two or three more includes internally. Google's _spf.google.com alone expands into three child includes. An organisation using Google Workspace, Microsoft 365, Salesforce, HubSpot, Zendesk, SendGrid, and Mailchimp can easily accumulate 12-15 lookups before accounting for any custom server entries. RFC 7208 has never been updated to raise the limit, so flattening is the only standards-compliant fix.

Beyond the lookup limit, flattening provides a secondary benefit: resilience against upstream SPF outages. An include: mechanism is a live DNS dependency. If your ESP's SPF DNS record is temporarily unavailable when a receiving server tries to evaluate your SPF, the lookup may return a TempError, causing uncertain behaviour at the receiver. A flattened record has no external DNS dependencies; it resolves in a single lookup against your own DNS zone, which you control entirely.

For organisations advancing their DMARC policy from p=none toward p=quarantine or p=reject, fixing SPF first is critical. At p=none, a PermError is logged in aggregate reports but causes no mail loss. At p=quarantine or p=reject, that same PermError becomes a filter or rejection event for every affected message. Flattening before tightening DMARC policy eliminates this class of collateral damage entirely. It is also a prerequisite for complying with the Google and Yahoo 2024 bulk sender requirements, which mandate a valid, evaluable SPF record for senders of more than 5,000 daily messages to Gmail. A PermError does not satisfy this requirement.

Troubleshooting

Common SPF flattening problems and how to resolve them

Most issues encountered when flattening an SPF record fall into a small number of patterns. Here is what each means and how to address it.

No SPF record found on the domain

Why it happens: No TXT record starting with v=spf1 exists at the root domain, or the record was published on a subdomain like mail.example.com instead of example.com.

Fix: Add a TXT record at the root domain (e.g. example.com, not a subdomain). The value must start with v=spf1. If you have no sending servers, publish v=spf1 -all to block all senders. If you send through Google Workspace, start with v=spf1 include:_spf.google.com ~all, then flatten once you have added all other providers.

Resolution times out or returns incomplete results

Why it happens: One or more of the include: chain domains has slow or temporarily unreachable DNS. The tool allows up to 6 seconds per lookup via Cloudflare DoH before attempting the Google DoH fallback. A deeply nested include chain with many slow-responding domains can occasionally exceed the total resolution time.

Fix: Wait a few minutes and try again. Transient DNS outages typically resolve quickly. If a specific provider's include domain is consistently slow, that is itself a risk signal: if that DNS is slow for this tool, it is also slow for every receiving server evaluating your SPF record in real time. Consider replacing it with a direct ip4: range for that provider.

Flattened record is too long to publish as a single DNS TXT record

Why it happens: DNS TXT record values have a 255-byte string limit per segment, though most providers allow multi-string records up to 2048 bytes total. Organisations with many ESPs and wide IP ranges can generate flattened records that push against this limit.

Fix: Split your authorised IP ranges across two or three SPF subdomain records, for example, _spf1.yourdomain.com and _spf2.yourdomain.com, each containing a subset of the ip4: entries. In your main record, reference them with include: _spf1.yourdomain.com include:_spf2.yourdomain.com -all. This approach uses only 2-3 lookups at evaluation time while accommodating unlimited total IP ranges.

Flattened record breaks email from one provider after publishing

Why it happens: The provider rotated their IP ranges between when you last flattened and when the email was sent. Flattening captures a snapshot. If the provider added new outbound IPs after your snapshot, those IPs are not in your published record and fail SPF.

Fix: Re-run this tool to get fresh IP resolution, compare the output to your current published record, and update DNS with the new flattened record. Set a recurring 60-day calendar reminder to re-flatten. Check your DMARC aggregate reports monthly for any provider showing an increase in SPF failures. This is the earliest signal that a provider's IPs have drifted.

Original record shows 10+ lookups but email was working fine before

Why it happens: SPF PermErrors are handled inconsistently across receiving mail servers. Some providers treat a PermError as a neutral result and deliver the message anyway. Others treat it as a hard fail. You may have been benefiting from lenient receivers, but stricter providers, including Gmail under certain configurations, will enforce the limit.

Fix: Flatten the record regardless of whether you are currently seeing failures. A PermError is a ticking clock: each new ESP you add compounds the problem, and each major receiver that tightens their SPF enforcement policy can silently begin rejecting your mail. Fixing it proactively is far simpler than diagnosing it reactively under delivery pressure.

include: mechanism for a provider is missing from the flattened output

Why it happens: The include: domain did not return any valid TXT records starting with v=spf1 during resolution. This can happen if the provider recently changed their SPF domain, if the subdomain has been retired, or if DNS propagation for a recent change is still in progress.

Fix: Check the provider's current documentation for their recommended SPF include: domain. This changes occasionally when providers migrate infrastructure. If the domain is valid but new, wait 10-15 minutes for propagation and re-run. If the domain is genuinely invalid, remove the include: from your SPF record and replace it with the correct current include from the provider's docs.

Examples

SPF flattening examples: from simple records to over-limit enterprise setups

Five real-world SPF configurations showing when flattening is needed, what the results look like, and how lookup counts change

ExcellentGoogle Workspace only: 2 lookups, clean record, no flattening needed

Domain: yourcompany.com Original: v=spf1 include:_spf.google.com ~all Lookups: 2 (well within limit) Resolved: 35 IPs (Google mail server ranges) Flat: v=spf1 ip4:35.190.247.0/24 ip4:64.233.160.0/19 ... ~all Verdict: Flattening reduces to 1 lookup for maximum safety

A domain sending exclusively via Google Workspace uses only 2 DNS lookups. Safely within the limit. Flattening is still beneficial as it eliminates the dependency on Google's SPF record staying within bounds if they add more includes in future. The flat record resolves to 35 IP ranges covering all Google mail infrastructure.

GoodMulti-ESP setup: 7 lookups, approaching the limit

Domain: saas-company.com Original: v=spf1 include:_spf.google.com include:sendgrid.net include:servers.mcsv.net include:mktomail.com ~all Lookups: 7 (approaching 10-lookup limit) Resolved: 120+ IPs across 4 providers Flat: v=spf1 ip4:... [120 ip4 entries] ~all Lookups after flatten: 1

A SaaS company using Google, SendGrid, Mailchimp, and Marketo reaches 7 lookups. Adding even one more ESP would risk hitting the limit. Flattening drops this to a single lookup regardless of how many providers are added to the resolved IP list, giving headroom for future additions without SPF breakage.

WarningOver-limit record: 13 lookups, SPF returning PermError

Domain: enterprise.com Original: v=spf1 include:_spf.google.com include:sendgrid.net include:amazonses.com include:mailgun.org include:servers.mcsv.net include:mktomail.com include:_spf.salesforce.com include:spf.mandrillapp.com ~all Lookups: 13 (EXCEEDS 10-lookup limit -- PermError) Status: SPF failing for all mail regardless of sender Fix: Flatten immediately -- all legitimate mail is at risk

An enterprise with 8 email providers exceeds the 10-lookup limit, causing SPF PermError on every email. This means even legitimate email from Google, SendGrid, and Salesforce is failing SPF validation. Under a p=quarantine DMARC policy, this routes all outbound email to spam folders. Flattening resolves this immediately by reducing to 1 lookup.

ExcellentDeep include chain: 3 levels deep, all resolved correctly

Domain: platform.io Root SPF: v=spf1 include:_spf.google.com include:sendgrid.net -all Level 2: _spf.google.com -> include:_netblocks.google.com {'->'} include:_netblocks2.google.com {'->'} include:_netblocks3.google.com Level 3: _netblocks.google.com -> ip4: ranges Lookups: 6 total (safe) Tree depth: 3 levels resolved Flat: v=spf1 [all IPs] -all (1 lookup)

Google's SPF record uses three levels of include nesting (_spf.google.com includes _netblocks.google.com which contains the actual IPs). This tool resolves all three levels automatically, collecting all IP ranges at each depth. The include tree visualisation shows each level as an expandable node so you can see exactly which sub-domain contributed which IP ranges.

WarningRedirect mechanism: less common, fully supported

Domain: subsidiary.com Original: v=spf1 redirect=_spf.parentcorp.com Lookups: 1 + (all lookups from parent record) Parent: v=spf1 include:_spf.google.com include:sendgrid.net -all Total: 3 lookups (currently safe) Resolved: 55 IPs Flat: v=spf1 ip4:... [55 entries] -all

A subsidiary domain using redirect= to inherit the parent company's SPF policy. Redirect mechanisms are fully supported by this flattener. The tool follows the redirect to the parent domain and recursively resolves that record. This is common in enterprise setups where multiple subsidiary domains share a single mail infrastructure.

FAQ

SPF flattening questions and answers

Answers to the most common questions about SPF flattening, the RFC 7208 10-lookup limit, PermErrors, and keeping a flattened record current.

What is SPF flattening and when do I need it?

SPF flattening is the process of recursively resolving all include: and redirect= mechanisms in an SPF record to their actual underlying IP addresses, then replacing the nested lookup chain with explicit ip4: and ip6: entries. You need SPF flattening when your domain uses multiple email service providers, such as Google Workspace, SendGrid, Mailchimp, Salesforce, and HubSpot simultaneously, because each include: directive adds one or more DNS lookups. RFC 7208 limits SPF evaluation to exactly 10 DNS lookups. When you exceed this limit, the receiving mail server returns a PermError status, meaning your SPF record fails validation regardless of whether the sending IP is legitimately authorised.

Why does SPF have a 10 DNS lookup limit and what happens when you exceed it?

The 10-lookup limit was established in RFC 7208 (the SPF specification) to prevent denial-of-service attacks where a malicious SPF record could trigger an unbounded chain of DNS queries against arbitrary servers, amplifying the attack and consuming server resources. When a receiving mail server evaluates your SPF record and encounters more than 10 mechanisms that require a DNS lookup (include:, a, mx, ptr, exists:, redirect=), it returns a PermError result. This PermError is treated as an SPF failure. If your DMARC policy is p=quarantine or p=reject, this means legitimate email from your domain may be sent to spam or rejected outright. Not because it came from an unauthorised server, but purely due to the lookup count.

How does SPF record flattening work technically?

SPF flattening works by performing a depth-first traversal of the include: and redirect= chain in your SPF record. Starting with your domain's root SPF record, the flattener fetches the TXT record, parses it, and for each include: mechanism, recursively fetches and parses the included domain's SPF record. This continues until all include chains are resolved or a depth limit is reached (typically 5-6 levels). At each level, any ip4: and ip6: entries are collected directly, and any a: or mx: mechanisms are resolved to their current IP addresses via additional DNS lookups. The final output is a single SPF record containing only explicit ip4: and ip6: entries plus the policy qualifier (-all, ~all, or ?all), requiring only one DNS lookup to evaluate.

What is the difference between -all, ~all, and ?all in an SPF record?

The all mechanism at the end of an SPF record defines how receiving servers should treat mail from senders not listed in the record. -all (hard fail) instructs receiving servers to reject mail that does not match any mechanism in the record. This is the most secure option and recommended for domains where you fully control and know all sending sources. ~all (soft fail) instructs servers to mark non-matching mail as suspicious but typically still deliver it, usually with a header flag. This is appropriate for domains that are still validating their sending sources. ?all (neutral) takes no position and effectively disables enforcement, treating all mail the same regardless of SPF result. For a flattened record where you have resolved all IPs, -all is the correct choice as you have explicitly enumerated every authorised sender.

How many IP addresses can a flattened SPF record contain?

There is no RFC-defined hard limit on the number of ip4: and ip6: entries in an SPF record, but practical limits exist due to DNS TXT record size constraints. A single DNS TXT record string is limited to 255 characters, but multiple strings can be concatenated within a single TXT record response up to a total of approximately 2048 bytes (varying by DNS server implementation). In practice, very large corporate SPF records can easily contain 100-200 IP ranges when flattened. If your flattened record approaches 2000 characters, you may need to split authorised senders across subdomains and use include: to reference those subdomains, keeping the total to two or three includes within the 10-lookup budget.

What are the downsides of SPF flattening and how do I maintain a flattened record?

The primary downside of SPF flattening is that it captures a snapshot of your email providers' IP addresses at the time of flattening. Major ESPs like Google, SendGrid, Mailchimp, and Salesforce regularly add, remove, and rotate IP addresses in their infrastructure. When they do, your flattened SPF record becomes out of date. It may either fail to authorise legitimate mail from new IPs (causing SPF failures) or continue to authorise IPs that have been reassigned to other senders (a security risk). To maintain a flattened record, set a calendar reminder to re-run this flattening tool every 60-90 days and update your DNS TXT record with the refreshed output. Alternatively, consider a dynamic SPF flattening service that automatically monitors your includes and updates your DNS records when upstream IPs change.

How do I check how many DNS lookups my current SPF record uses?

Enter your domain in this SPF flattening tool and the Original Lookups counter in the results summary will show you the number of DNS lookups required to evaluate your current SPF record. Each include:, redirect=, a, mx, ptr, and exists: mechanism counts as one lookup. Note that ip4: and ip6: entries do not count toward the lookup limit because they specify IPs directly without requiring a DNS query. The lookup counter in this tool counts the mechanisms in your root SPF record only. The recursive lookups required inside each include chain also count toward the limit during evaluation, which is why the actual lookup count during evaluation is often much higher than the count of mechanisms visible in your root record.

Can SPF flattening break my email deliverability?

Incorrectly applied SPF flattening can break deliverability if the flattened record is missing IP addresses that your email providers use for sending. This can happen if: the flattening tool did not fully resolve all include chains (for example, if a DNS timeout occurred during resolution), if you copy the record with errors, or if you use the flattened record as a replacement for the original but the original included mechanisms that resolve to more IPs than were captured. Before replacing your live SPF record, verify the flattened output by checking that it contains IPs from all your sending services. After publishing, send a test email through each provider and check the email headers for SPF: pass results. You can also use the SMTP tester on this site to re-validate the configuration after the DNS change propagates.

How do I publish a flattened SPF record in DNS?

To publish the flattened SPF record, log into your DNS control panel (Cloudflare, GoDaddy, Namecheap, Route 53, or your hosting provider's DNS management interface). Find the existing TXT record at your domain root (typically displayed as @ or your domain name) that starts with v=spf1. Delete or edit this record and replace the entire value with the flattened record from this tool. Do not add the flattened record as a second TXT record. Domains must have exactly one SPF record and having two TXT records starting with v=spf1 causes an SPF PermError. After saving, DNS propagation typically takes 5 minutes to a few hours depending on your TTL setting. Re-run this tool or use an SPF checker to confirm the new record is live and valid.

What is the include tree visualization in this SPF flattening tool?

The include tree tab in this tool shows the full recursive structure of your SPF record as a collapsible tree diagram. The root node shows your domain's SPF record, and each include: or redirect= mechanism expands into a child node showing the included domain, its SPF record, and how many IPs it contributes. This visualization makes it immediately clear which of your email service providers are contributing the most IP addresses and how deep the include chain goes. Domains using more than three levels of nested includes are the most common cause of lookup limit issues because the lookup count compounds at each level. The tree view is particularly useful for identifying redundant includes. Cases where two different includes from different services resolve to overlapping IP ranges that can potentially be consolidated.

How does SPF flattening affect DMARC?

SPF flattening directly improves DMARC pass rates by eliminating PermErrors that would otherwise cause SPF to fail. Under a DMARC policy of p=quarantine or p=reject, an SPF PermError from exceeding the 10-lookup limit is treated as an authentication failure. Meaning legitimate email is quarantined or rejected even though it came from an authorised source. By reducing your SPF record to a single lookup, flattening ensures that SPF evaluation always completes cleanly and returns a pass or fail result based on the actual sending IP, not a configuration error. Note that SPF alignment still requires the envelope Return-Path domain to match your From: domain. Flattening does not change this. If your ESPs use their own Return-Path domains, you still need DKIM alignment for DMARC to pass.

What is the difference between SPF flattening and dynamic SPF?

Standard SPF flattening, as performed by this tool, resolves your include chains at a point in time and produces a static record with explicit ip4: and ip6: entries. This record must be manually refreshed every 60-90 days when ESPs rotate their IP ranges. Dynamic SPF services (also called automatic SPF flattening or SPF macros) use DNS infrastructure that automatically monitors your include chains and updates the resolved IP set whenever upstream ranges change. Your DNS record stays current without manual intervention. Dynamic SPF services typically require a paid subscription and involve delegating a subdomain to the provider's DNS. For most small to medium organisations, manual flattening with a quarterly refresh calendar reminder is sufficient. For large enterprises with complex, frequently-changing sending infrastructure, a dynamic SPF service reduces maintenance overhead significantly.

Can a flattened SPF record become too long for DNS?

Yes. A single DNS TXT string is limited to 255 bytes by the DNS specification, but multiple strings can be concatenated within one TXT record, giving an effective limit of roughly 450 characters per TXT record value for most DNS providers. Though some accept up to 2048 bytes total. Organisations using many email providers can end up with 100-200 individual ip4: entries after flattening, which can push the record past DNS size limits. If you encounter this, the solution is to split your authorised senders across two or three SPF subdomain records (e.g. _spf1.yourdomain.com and _spf2.yourdomain.com), each containing a portion of the IP ranges, then reference them from your main record with include: mechanisms. Keep the total number of includes in the main record to three or fewer to stay safely within the 10-lookup budget while accommodating large IP sets.

Does SPF flattening work for Google Workspace and Microsoft 365?

Yes. Both are fully supported. Google Workspace uses a three-level include chain: _spf.google.com includes _netblocks.google.com, _netblocks2.google.com, and _netblocks3.google.com, each of which contains the actual ip4: ranges. This tool resolves all three levels and collects every Google mail server IP. Microsoft 365 similarly uses spf.protection.outlook.com, which resolves to a set of IP ranges covering Microsoft's mail infrastructure. Both providers are among the most commonly flattened includes and are resolved reliably by this tool on every run. The resulting flattened record authorises all IPs from both providers as direct ip4: entries, eliminating the lookup dependency on their DNS infrastructure.

How do I know when my flattened SPF record needs updating?

The most reliable indicator is your DMARC aggregate reports. A sudden increase in SPF failures from a known provider like Google or SendGrid usually means that provider has added new IP ranges that are not in your flattened record. Other signals include increased bounce rates or deliverability complaints from a specific sending service. As a preventive measure, set a calendar reminder to re-run this flattening tool and compare the output to your published record every 60-90 days. Major ESPs including Google, SendGrid, and Mailchimp have historically rotated IP ranges several times per year. If the resolved IPs differ from what you have published, update your DNS TXT record with the new flattened output.

Technical background

SPF in the email authentication stack: how it fits with DKIM and DMARC

SPF flattening solves the DNS lookup problem, but it is worth understanding where SPF sits in the broader email authentication picture. Because SPF alone, even a perfectly flattened one, does not fully protect your domain.

SPF (Sender Policy Framework) validates the SMTP envelope sender. The MAIL FROM address used during the server-to-server handshake. It answers one question: is this IP authorised to send mail claiming to come from this domain? It does not validate the visible From: header in the email client, and it does not survive email forwarding (because the forwarding server's IP is not in the original SPF record). A flattened SPF record ensures that evaluation always completes within the 10-lookup limit and returns a clean pass or fail result. Use the SPF Record Checker after publishing your flattened record to confirm it is valid and within limits.

DKIM (DomainKeys Identified Mail) complements SPF by adding a cryptographic signature to outgoing messages, tied to a domain you control. Because the DKIM signature is in the message headers and is based on your d= domain rather than the sending server's IP, it survives forwarding and is the more reliable alignment mechanism for third-party sending platforms. When an ESP uses its own Return-Path domain, which breaks SPF alignment, DKIM alignment is what keeps DMARC passing. Verify your DKIM configuration with the DKIM Analyzer.

DMARC (Domain-based Message Authentication, Reporting, and Conformance) ties SPF and DKIM together. It requires that at least one mechanism passes with alignment to the visible From: header domain, and it specifies what to do when neither passes. None (monitor), quarantine (spam), or reject (block). DMARC also enables daily aggregate reports that show pass/fail rates across all your sending sources, which are the most practical way to catch SPF issues before they cause delivery problems. Check your current DMARC policy with the DMARC Checker or do a full tag-by-tag analysis with the DMARC Analyzer.

The optimal sequence for setting up email authentication from scratch is: (1) publish SPF and flatten if needed, (2) enable DKIM signing via your email providers, (3) publish DMARC at p=none with rua= configured, (4) review aggregate reports for 2-4 weeks, (5) advance DMARC to p=quarantine then p=reject as you confirm all legitimate sources pass. A clean, flattened SPF record is the foundation that makes step 3 onwards safe to execute.

Related Email Authentication Tools

Need a disposable email address?Stop exposing your real address. Get a free instant throwaway with no signup and no trace.

Get Free Temp Mail ->