It is very common for organizations, when constructing or modifying their SPF record, to run up against the 10 DNS lookup limit. This limitation restricts the number of DNS lookups that can be performed when an SPF record is evaluated.
SPF records usually contain ‘include’ statements that refer to other domains' SPF records to list servers that are allowed to send on behalf of the organization’s domain. Any parts of the SPF record that are listed after the 10th lookup has been reached will not be evaluated. This means that although you have listed something in your SPF record, it may not be evaluated, causing legitimate services to fail authentication via SPF.
An organization that is using Google Workspace (aka G Suite) would normally list include:_spf.google.com in their SPF record. When the receiver of the email attempts to verify an email from a domain, they would see this include and then resolve ‘_spf.google.com’. This counts as one DNS lookup. When resolving this name, you will see that there are three other include statements behind this: include:_netblocks.google.com include:_netblocks2.google.com include:_netblocks3.google.com.
Each of these DNS names would then need to be resolved to get to the list of IP addresses that Google sends emails from. In this example, simply adding Google Workspace (aka G Suite) to your SPF record takes up 4 of the 10 possible DNS lookups allowed when evaluating an SPF record.
One way that organizations attempt to get around the 10 DNS lookup limit is the ‘flatten’ the SPF record. Flattening involves taking an include statement that would normally be placed into an SPF record and manually getting a list of all of the IP addresses listed under that DNS name.
If an organization decides to do flattening and they want to eliminate the 4 DNS lookups required by Google Workspace (aka G Suite), they would replace:
ip4:220.127.116.11/24 ip4:18.104.22.168/19 ip4:22.214.171.124/20 ip4:126.96.36.199/20 ip4:188.8.131.52/18 ip4:184.108.40.206/16 ip4:220.127.116.11/21 ip4:18.104.22.168/16 ip4:22.214.171.124/17 ip4:126.96.36.199/19 ip4:188.8.131.52/19 ip6:2001:4860:4000::/36 ip6:2404:6800:4000::/36 ip6:2607:f8b0:4000::/36 ip6:2800:3f0:4000::/36 ip6:2a00:1450:4000::/36 ip6:2c0f:fb50:4000::/36 ip4:184.108.40.206/19 ip4:220.127.116.11/20 ip4:18.104.22.168/19 ip4:22.214.171.124/20 ip4:126.96.36.199/19 ip4:188.8.131.52/19 ip4:184.108.40.206/16 ip4:220.127.116.11/22
Effects of Flattening
While this does eliminate the 4 DNS lookups Google Workspace (aka G Suite) normally requires, it results in other problems:
How to identify Flattening:
While there is no way to look at an SPF record and immediately know if flattening is being done, there is a way to identify flattening. Within the SPF record:
If the answer to #3 is yes, the organization is doing SPF flattening.