SPF Flattening
SPF flattening is usually a bad idea that gets looked into because of a lack of correct SPF record creation or maintenance.
For the most part, our advice for those looking into doing this is: "Don't." In almost all cases, the reason that a customer begins looking at this can be solved with some basic SPF correction and adoption of best practices:
- remove (and do not add) useless SPF entries. Examples:
- Sources appearing in your Detail Viewer which are "SPF incapable" and show a 0% SPF pass rate
- Sources sending for your domain, which for some other reason do not use your domain in mailfrom: sometimes this is because the capability costs more money, sometimes this is because you have opted to have the traffic pass DMARC solely on the basis of correct DKIM signing, sometimes your SPF authentication is completely successful using another domain or subdomain! The SPF analysis tool can correlate your DMARC data to your SPF record and show which records are useless over the most recent 7 to 30 days
- See the linked "Remove 'a' and 'mx' SPF entries?" article
- remove unused SPF entries (e.g. a sender which is no longer in use, or maybe the sender is already and more correctly set up to send using a subdomain)
- related to the last 2 points, pay attention to the "Duplicate netblock authorization" notes below the SPF record details in the SPF Surveyor. Resolve all instance of these
- move vendor traffic to subdomains for SPF authentication (i.e. vendor.example.com, allowing you to have an SPF record specifically and *only* at the vendor.example.com location). This is a best practice which should be followed whenever possible.
Insight used for the above points can usually be found in your account's SPF survey tool. Note that for the tool to be useful you *must* have at least a full week of DMARC reporting in your account.
Some expanded SPF articles and guidance available here: