DMARCER
Sign in

Hosted SPF: flatten and host your SPF

Hosted SPF (also called SPF flattening) lets DMARCER host your SPF record so receivers only ever see one DNS lookup, keeping you safely under SPF's 10-lookup limit. This guide walks you through turning it on, managing a live domain and reverting if you ever need to.

Published 29 Jun 2026 3

SPF allows only 10 DNS lookups before receivers return a permanent error and stop trusting your record. As you add senders (Microsoft 365, a CRM, a marketing tool, a helpdesk) it is easy to quietly cross that limit and break SPF for your whole domain. Hosted SPF, also called SPF flattening, fixes this by hosting your record on DMARCER's DNS for you. Your own published record becomes a single include: line pointing at DMARCER, so receivers only ever see one lookup no matter how many providers you authorise, and DMARCER keeps those providers' IP addresses up to date for you.

What hosted SPF actually does

When you switch flattening on, DMARCER creates a unique subdomain on its hosted zone for your domain (for example _spf.<your-id>.<dmarcer-zone>) and works out the actual IP ranges for every sender you authorise. Those IPs are published into the hosted zone, and your domain's own SPF record is shortened to v=spf1 include:_spf.<your-id>.<dmarcer-zone> -all. DMARCER then re-checks your providers every day, so if a provider changes its sending IPs your SPF keeps working without you having to touch DNS again.

  • Receivers see one DNS lookup for your domain, well under the limit of 10.
  • You keep full control of which senders are authorised; only the working out of IPs and the hosting move to DMARCER.
  • Your own DNS is only touched once, when you switch your record to the flattened include line.

Before you start

A few things need to be in place before you can switch flattening on for a domain:

  • The feature needs to be switched on for your organisation. A Super User sets this up under Platform, Integrations, SPF Flattening, and at least one active hosting zone (called a Master Domain) must exist. If it is not set up yet, the Flattening tab will ask you to contact a Super User.
  • You need the right access. The Tenant Admin role can do this, or anyone who has been given permission to manage SPF flattening. Because flattening changes how a domain sends mail, this is kept separate from view-only access.
  • The domain must be in Standard mode and not licensed as Parked. Parked domains publish v=spf1 -all directly (a hard reject that allows no senders), so flattening does not apply to them.

Finding the Flattening tab

Open the SPF window for the domain (from Domain Management or from the customer's detail page) and choose the Flattening tab, marked with a shield-and-lock icon. The tab updates itself: it loads the current flattening status and shows the right panel for wherever the domain is in the process (Standard, Activation in progress, flattened/Live, or Revert in progress).

Step by step: turning it on

  • On the Flattening tab, click Enable SPF Flattening. DMARCER saves a copy of your current SPF record (kept safely so you can revert later), reads it into a list of senders, and creates your unique flattened subdomain. The domain moves into Activation in progress.
  • Review the Authorised senders detected list. Each part of your old record (includes, ip4, ip6, a, mx) appears as a row you can edit. Add, change or remove senders as needed, then click Save senders.
  • Click Set up flattened zone. DMARCER works out the IPs for your senders and publishes them into the hosted zone at your flattened subdomain. Your own DNS is not touched yet.
  • DMARCER then shows you the new value to publish, usually v=spf1 include:_spf.<your-id>.<dmarcer-zone> -all. Replace your existing SPF TXT record at the top level (apex) of the domain with this value. Publish the new record before removing the old one so receivers always see a valid SPF during the change; the hosted zone is already serving the resolved IPs.
  • If the domain is linked to a DNS provider, an Automated publish option appears (for example Publish via your provider). DMARCER can make the change for you; you review what will change and confirm before anything is written.
  • Once you have updated DNS, click the verify button (I've published the record, verify). DMARCER checks your live SPF for the flattened include. When it finds it, the domain becomes Live. If it is not visible yet, you will see a message asking you to confirm the DNS change while it spreads across the internet.

At any point during activation you can click Cancel activation. DMARCER removes the records it created in the hosted zone and returns the domain to Standard mode.

Managing a flattened (Live) domain

Once a domain is Live, the Flattening tab confirms it is flattened and shows when it was flattened, the last time your providers were checked, and the number of authorised senders and resolved IPs. From here you can:

  • Edit the sender list and click Save & republish. This publishes the updated set straight to the hosted zone; your own DNS does not need to change again.
  • Click Refresh sender IPs to re-check every provider straight away and republish if anything changed. This is handy right after a provider tells you it has new sending IPs. DMARCER does this refresh for you every day automatically, so a manual refresh is only for when you cannot wait.
  • Click Disable flattening to start reverting (see below).

Turning it off (reverting)

Disable flattening puts the domain into Revert in progress and creates an unflattened record that lists your current senders directly (each one expanded back into its own include, ip4, ip6, a or mx, ending in -all). Copy that value, replace your published SPF TXT record with it, then click the verify button. DMARCER confirms the flattened include has gone from your live record before returning the domain to Standard mode and releasing the hosted subdomain. Keep in mind that the unflattened record brings back the original lookup cost, so if you reverted purely because of the 10-lookup limit you may run into it again.

Common pitfalls

  • Do not edit SPF from the Builder tab while a domain is flattened. The Builder is locked on purpose in this state, because publishing a rebuilt record would overwrite the flattened include line and quietly disconnect the domain from the hosted zone while DMARCER carries on serving the IPs. Always manage a flattened domain from the Flattening tab.
  • Publish the new record before deleting the old one. During the switch, both the hosted zone and your record should be valid so receivers never see a missing or broken SPF.
  • Only one v=spf1 record may exist at the top level (apex). Having two or more SPF records is a permanent error that makes receivers treat SPF as broken, so merge them into one before flattening.
  • Verification depends on the DNS change spreading across the internet. If the verify step says the include is not visible yet, give your DNS host a little time and try again rather than re-running activation.
  • If too many senders resolve to a very large number of IPs, the plan can grow too large for the hosted setup. Remove some senders or split your sending across subdomains.
  • If the feature is switched off or no active hosting zone exists, the tab will not offer activation; ask a Super User to set up Platform, Integrations, SPF Flattening first.

Was this article useful?

Be the first to vote.
Got feedback for our team? Send us a comment