When growing organizations hit the strict 10-lookup limit specified by RFC 7208, IT administrators must decide how to manage their email authentication records without causing deliverability failures. The cybersecurity SaaS platform AutoSPF offers an automated solution to this problem, presenting a direct alternative to the traditional practice of manual DNS flattening. While manual record management can work as a zero-cost temporary fix for small operations with static environments, dynamic flattening is the superior choice for scaling enterprises that need to prevent silent email delivery failures when third-party vendors like Google or Microsoft change their IP ranges.
Quick verdict
As a specialized SPF management platform, AutoSPF provides a clear separation between the two technical paths. Making the wrong choice leads to high administrative overhead or immediate authentication failure.
Use this quick assessment to determine which path fits your current infrastructure:
- Best for zero-budget setups with static infrastructure: Manual flattening
- Best for growing IT teams adding new SaaS vendors: Dynamic flattening
- Best for avoiding silent email failures: Dynamic flattening
- When neither is right: If your domain uses three or fewer lookups and rarely changes vendors, leave standard include mechanisms in place.
Choosing manual flattening means your team accepts the burden of ongoing DNS maintenance. If a vendor changes their IP ranges and your IT team fails to update your record within minutes, your legitimate emails will fail authentication. Dynamic flattening, on the other hand, delegates this maintenance work to software automation.
Overview of each approach
To understand how to keep your email infrastructure secure, you must understand the exact mechanics of both management methods. The core issue centers on how mail receivers evaluate the Sender Policy Framework. When an email arrives, the receiving mail server checks your DNS record to verify that the sending IP is authorized.
The RFC 7208 specification limits the receiver to 10 DNS queries during this evaluation to prevent denial-of-service attacks against DNS infrastructure. If your record requires 11 or more lookups, the receiver returns an immediate PermError, which often causes the email to be rejected or routed straight to the spam folder.
Manual flattening
Manual flattening is a static operational technique. An IT administrator starts by recursively tracing every include:, a, mx, and redirect mechanism in their current SPF record. They run command-line queries to find the underlying IP addresses associated with each of those services. Once they have a complete list of IPv4 and IPv6 addresses, they write a new SPF record containing only those IP blocks and publish it to their authoritative DNS server.
This process removes all lookup-triggering mechanisms, reducing the DNS lookup count to zero or one. The trade-off is clear. According to DMARCPal, manual flattening swaps the risk of exceeding the lookup limit for the risk of stale data. The domain owner takes on total responsibility for keeping copied IP authorization data current.
Dynamic flattening
Dynamic flattening automates this cycle. Instead of publishing a static list of IP blocks, you replace your complex SPF record with a single managed entry pointing to dedicated infrastructure. For example, how AutoSPF works is by replacing your record with a single DNS include: v=spf1 include:_spf.autospf.com ~all.
Behind that single include, the automated engine continuously queries your designated vendors. When a service provider updates their IP ranges, the system detects the change, de-duplicates overlapping netblocks, and updates the managed record. This keeps your active DNS entry compact and under the lookup limit without requiring manual intervention.
Head-to-head comparison
To help your engineering team evaluate these options, we compared them across five operational criteria.
| Factor | Manual Flattening | Dynamic Flattening | Winner |
|---|---|---|---|
| DNS Lookup Count | Reduced to 0–1 | Reduced to 1–2 | Tie |
| Maintenance Effort | High (Manual DNS edits required) | None (Automated background updates) | Dynamic Flattening |
| Protection from Stale IPs | No (High risk of silent delivery failure) | Yes (15-minute rescans) | Dynamic Flattening |
| Setup Speed | Slow (Requires manual lookup tracing) | Under 60 seconds (Copy-paste) | Dynamic Flattening |
| Change Auditing & Logging | No (Requires manual tracking) | Yes (DNS history and rollbacks) | Dynamic Flattening |
Maintenance overhead and staleness risk
The primary weakness of manual flattening is its static nature. Modern SaaS platforms change their sending infrastructure frequently to add capacity or migrate services. Valimail's analysis of SPF automation explains that manual flattening creates a static snapshot of a dynamic reality.
If you use a manual process, you must monitor your vendors' IP addresses constantly. If you rely on custom scripts, you face similar challenges. Scripts break when vendor DNS formats change, requiring your engineering team to fix the code. You can read more about these custom script challenges in our guide on enterprise SPF management: AutoSPF vs custom scripts and manual flattening.
Setup speed and complexity
Manually resolving a complex SPF record that includes Salesforce, HubSpot, and Microsoft 365 can take hours. You must write down every sub-include and run recursive queries.
A single mistake in an IP range or a missing character in your TXT record will break email authentication for your entire organization. Dynamic systems remove this complexity. AutoSPF simplifies this by providing a single managed include record that you paste into your DNS manager once, completing the setup in less than a minute.
Uptime and resilience
If your authoritative DNS server goes offline or responds slowly, your email deliverability drops. When using dynamic flattening, your flattened records must be served by a highly reliable DNS network.
Manual records are served by your primary DNS provider. Dynamic systems serve these records through specialized networks. For instance, AutoSPF serves its records via Cloudflare, backed by a 99.99% uptime SLA to ensure that receivers can always resolve your SPF records instantly.
Operational costs and resource allocation
When deciding between these two methods, IT leaders must look beyond licensing costs and calculate the total cost of ownership. While manual flattening has no direct software cost, it requires significant engineering labor.
Consider the resource allocation required to maintain a manual record or update custom scripts. An experienced systems administrator spends hours tracing IPs, editing DNS records, and troubleshooting deliverability issues when records fail.
| Tier / Option | Direct Cost | Labor Cost / Overhead | Practical Suitability |
|---|---|---|---|
| Manual Scripting / Editing | $0 | 4–8 hours/month ($300–$600 value) | Small, static environments |
| AutoSPF Plus | $37/month | 0 hours | Single domain, unlimited email sending |
| AutoSPF Premium | $97/month | 0 hours | Up to 5 domains, includes macro-based SPF |
| AutoSPF Enterprise | $387/month | 0 hours | 10 domains, SOC-2 Type II, SSO/SAML |
Selecting a managed SaaS option allows you to reallocate engineering hours to higher-value security tasks. On our Pricing page, we outline plans designed to scale with your organization without hidden fees. We do not use email sending limits or user-based pricing, keeping your operational costs predictable.
Our customers validate this approach. In verified reviews on G2, users highlight that the platform is easy to set up on your own and offers a cost-effective way to manage SPF records while removing the risk of manual mistakes.
Who should choose what
The choice between manual and dynamic management depends on your organization's technical constraints, resource availability, and risk tolerance.
Choose manual flattening if...
You should manage your records manually only if you run a small, highly static environment. If you control your entire email infrastructure, do not use external cloud services, and your sending IP ranges never change, manual flattening is a viable option.
It is also suitable for organizations with strict security policies that forbid any third-party DNS integrations, provided you have the dedicated staff needed to monitor and update records whenever IP changes occur.
Choose dynamic flattening if...
You should use dynamic flattening if your organization relies on a modern, cloud-based SaaS stack. If you use platforms like Salesforce, HubSpot, or Zendesk, your sending IPs will change without warning.
Dynamic flattening is necessary for enterprise security teams that want to enforce DMARC at a reject policy. If you manage multiple client domains as an MSP, dynamic automation is the only way to scale your operations without hire-heavy manual oversight. For large organizations, our for Enterprises options provide the security and administrative controls you need, including SAML/SSO integration and SOC-2 Type II certification.
Neither is right if...
If your domain uses three or fewer total lookups—such as Google Workspace and a single, stable transactional mail provider—you do not need to flatten your record. In this scenario, standard includes work perfectly. Flattening is a solution for organizations that are near or over the 10-lookup limit, and introducing it prematurely adds unnecessary steps to your DNS architecture.
Final verdict
Manual SPF flattening is a fragile, temporary fix. It works on day one, but it begins to degrade the moment a vendor updates their IP infrastructure. Treating SPF management as a static task creates a major vulnerability: silent email authentication failures that are hard to diagnose and fix.
The technical constraints of the protocol make automation necessary. As Adam Lundrigan, CTO of DuoCircle and architect of the AutoSPF flattening engine, explains: "The misconception about SPF flattening is that it's a one-time fix. Vendor IP ranges change constantly—Google rotated their netblocks three times in 2025 alone." You can read more about safe validation practices in our article on how to safely flatten SPF records while preserving SPF validation.
Brad Slavin, General Manager of DuoCircle, highlights the risk of manual records: "The 10-lookup limit is the single most common reason enterprise SPF records silently break. In our experience managing SPF for 2,000+ customer domains, the failure mode is always the same: a team adds a new SaaS tool, its include pushes the total past 10, and legitimate email starts failing—but nobody notices until a customer complains about missing invoices or passwords."
For organizations that rely on email delivery, manual SPF management is too risky. Automating this process protects your domain's sending reputation and ensures your emails reach the inbox.
Start a 30-day free trial at AutoSPF to automate your SPF flattening in under 60 seconds, eliminating manual maintenance and PermErrors.