It is very common for organizations, when constructing or modifying their SPF record, to run up against the 10 DNS lookup limit. This limitation restricts the number of DNS lookups that can be performed when an SPF record is evaluated.
SPF records usually contain ‘include’ statements that refer to other domains' SPF records to list servers that are allowed to send on behalf of the organization’s domain. Any parts of the SPF record that are listed after the 10th lookup has been reached will not be evaluated. This means that although you have listed something in your SPF record, it may not be evaluated, causing legitimate services to fail authentication via SPF.
Example:
An organization that is using Google Workspace (aka G Suite) would normally list include:_spf.google.com in their SPF record. When the receiver of the email attempts to verify an email from a domain, they would see this include and then resolve ‘_spf.google.com’. This counts as one DNS lookup. When resolving this name, you will see that there are three other include statements behind this: include:_netblocks.google.com include:_netblocks2.google.com include:_netblocks3.google.com.
Each of these DNS names would then need to be resolved to get to the list of IP addresses that Google sends emails from. In this example, simply adding Google Workspace (aka G Suite) to your SPF record takes up 4 of the 10 possible DNS lookups allowed when evaluating an SPF record.
Flattening:
One way that organizations attempt to get around the 10 DNS lookup limit is the ‘flatten’ the SPF record. Flattening involves taking an include statement that would normally be placed into an SPF record and manually getting a list of all of the IP addresses listed under that DNS name.
Example:
If an organization decides to do flattening and they want to eliminate the 4 DNS lookups required by Google Workspace (aka G Suite), they would replace:
include:_spf.google.com
with:
ip4:35.190.247.0/24 ip4:64.233.160.0/19 ip4:66.102.0.0/20 ip4:66.249.80.0/20 ip4:72.14.192.0/18 ip4:74.125.0.0/16 ip4:108.177.8.0/21 ip4:173.194.0.0/16 ip4:209.85.128.0/17 ip4:216.58.192.0/19 ip4:216.239.32.0/19 ip6:2001:4860:4000::/36 ip6:2404:6800:4000::/36 ip6:2607:f8b0:4000::/36 ip6:2800:3f0:4000::/36 ip6:2a00:1450:4000::/36 ip6:2c0f:fb50:4000::/36 ip4:172.217.0.0/19 ip4:172.217.32.0/20 ip4:172.217.128.0/19 ip4:172.217.160.0/20 ip4:172.217.192.0/19 ip4:108.177.96.0/19 ip4:35.191.0.0/16 ip4:130.211.0.0/22
Effects of Flattening
While this does eliminate the 4 DNS lookups Google Workspace (aka G Suite) normally requires, it results in other problems:
Typos: Dealing with any text string that long makes it easy to make a mistake and inject syntax errors which can result in mail not being delivered
DNS record sizes: Some DNS management platforms will not let you create TXT records greater than 255 characters
If Google decides to add new IPs to their SPF record, you will not know about it until emails stop being delivered which can result in emails not being delivered. This is the biggest risk since it will not be immediately apparent that anything has changed and the first indication of problems is when emails no longer authenticate.
How to identify Flattening:
While there is no way to look at an SPF record and immediately know if flattening is being done, there is a way to identify flattening. Within the SPF record:
Look for a long list of ip4 or ip6 directives (netblocks) in the SPF record. Especially look for netblocks with a large subnet mask (something between /8 and /24 )
For each netblock, look at the whois information for that block ( https://www.whois.com/whois/ )
Look to see if the owner of that IP block is a company that is a mailbox provider or a company that sends emails (Marketing, HR, etc.)
If the answer to #3 is yes, the organization is doing SPF flattening.