Partial Safe SPF for Non-flattenable SPF Includes

SPF SPF PermError Too Many DNS Lookups

While Safe SPF overcomes the 10-DNS-lookup limit in SPF, sometimes it's desirable to flatten only a part of your SPF record, while leaving the rest as is. If this is the case, you can use partial Safe SPF.

One good reason for this is that some email delivery services like HelpScout, Office 365, Atlassian, and Zendesk require that their SPF records be explicitly specified.

For example, in order to have Office 365 send emails on your behalf, you need to specify:

explicitly in your SPF record. If such an include is not found in the SPF record, you will see some warning along the lines of:

The record we detected doesn't match all the expected values. We queried these
nameservers for the records:,

We didn't detect that you added new records to Make sure the
records you created at your host exactly match the records shown here. If they do, please
wait for our system to detect the changes. This usually takes around 10 minutes, although
some DNS hosting providers require up to 48 hours.

Your domain must have a DNS record that matches the expected record for your
Microsoft 365 services to run smoothly. We recommend “copy and paste” to avoid

View step-by-step instructions to add TXT DNS records

TXT name TXT value TTL
Expected record v=spf1 -all
Invalid entry v=spf1 -all

Similarly, Atlassian requires their SPF include in your top-level SPF record, as indicated below:

Zendesk requires that too, otherwise it says "SPF does not include Zendesk Support", as shown below:

Let's take the Office 365 scenario as an example. It's easy enough to use partial Safe SPF to solve this problem. In this particular case, you only need to leave out for the Safe SPF process, then add it back in after the Safe SPF record is generated.

Here is how it works. Your original SPF record looks like this:

v=spf1 -all

You only need to flatten and, but not Partial Safe SPF can help here.

You need to run the following original SPF record:

v=spf1 -all

through Safe SPF. That is, flatten only and, while leaving out of the record.

Now you've generated and published the Safe SPF record on your domain like this:

v=spf1 -all

This record contains all the IP addresses from and We now need to add, so that the record looks like:

v=spf1 -all

Once the above SPF record is published on your domain, it contains all the IP addresses from all the 3 services. What's more, is explicitly specified in the SPF record.

Previous Post Next Post

 Protect Business Email & Improve Email Deliverability

Get a 14 day trial. No credit card required.

Create Account