---
title: "How can I simplify a complex SPF record flagged by Kitterman without losing legitimate senders? | AutoSPF"
description: "To simplify a complex SPF record flagged by Kitterman without losing legitimate senders, audit and inventory every real sender."
image: "https://autospf.com/og/blog/how-to-simplify-kitterman-flagged-spf-records-safely.png"
canonical: "https://autospf.com/blog/how-to-simplify-kitterman-flagged-spf-records-safely/"
---

Quick Answer

To simplify a complex SPF record flagged by Kitterman without losing legitimate senders, audit and inventory every real sender, consolidate and restructure mechanisms to reduce DNS lookups (favor aggregated ip4/ip6 and short, vetted includes), safely flatten where needed with automated updates, segment via redirect or dedicated sending subdomains where appropriate, and implement tight monitoring and staged DMARC/SPF policy changes - ideally automated end‑to‑end with AutoSPF.

Share 

[ ](https://www.linkedin.com/sharing/share-offsite/?url=https%3A%2F%2Fautospf.com%2Fblog%2Fhow-to-simplify-kitterman-flagged-spf-records-safely%2F "Share on LinkedIn") [ ](https://twitter.com/intent/tweet?text=How%20can%20I%20simplify%20a%20complex%20SPF%20record%20flagged%20by%20Kitterman%20without%20losing%20legitimate%20senders%3F&url=https%3A%2F%2Fautospf.com%2Fblog%2Fhow-to-simplify-kitterman-flagged-spf-records-safely%2F "Share on X/Twitter") [ ](https://www.facebook.com/sharer/sharer.php?u=https%3A%2F%2Fautospf.com%2Fblog%2Fhow-to-simplify-kitterman-flagged-spf-records-safely%2F "Share on Facebook") [ ](https://reddit.com/submit?url=https%3A%2F%2Fautospf.com%2Fblog%2Fhow-to-simplify-kitterman-flagged-spf-records-safely%2F&title=How%20can%20I%20simplify%20a%20complex%20SPF%20record%20flagged%20by%20Kitterman%20without%20losing%20legitimate%20senders%3F "Share on Reddit") [ ](mailto:?subject=How%20can%20I%20simplify%20a%20complex%20SPF%20record%20flagged%20by%20Kitterman%20without%20losing%20legitimate%20senders%3F&body=Check out this article: https%3A%2F%2Fautospf.com%2Fblog%2Fhow-to-simplify-kitterman-flagged-spf-records-safely%2F "Share via Email") 

![losing legitimate senders](https://media.mailhop.org/autospf/images/2025/12/spf-checker-0998.jpg) 

To simplify a complex SPF record flagged by Kitterman without losing legitimate senders, audit and inventory every real sender, consolidate and restructure mechanisms to reduce [DNS lookups](https://www.digicert.com/faq/dns/how-does-dns-lookup-work) (favor aggregated ip4/ip6 and short, vetted includes), safely flatten where needed with automated updates, segment via redirect or dedicated sending subdomains where appropriate, and implement tight monitoring and staged DMARC/SPF policy changes - ideally automated end‑to‑end with AutoSPF.

_Per [RFC 7208](https://datatracker.ietf.org/doc/html/rfc7208), SPF evaluation is capped at 10 DNS mechanism lookups and 2 void lookups per check - exceeding either limit produces a `PermError` that fails authentication for every message from the domain._

Context and background Sender Policy Framework (SPF) fails most often because of runaway includes, nested provider chains, or mechanisms that trigger too many DNS lookups; [Kitterman’s SPF checker](/blog/kitterman-spf-check-a-comprehensive-guide-to-accurate-analysis/) typically flags these with “Too many DNS lookups,” “Void lookups,” “PermError,” or “Record too long.” The challenge is that legitimate senders - your MTA, marketing platforms, [CRM](https://www.ibm.com/think/topics/crm), support desk, billing tools - are spread across multiple vendors, each with its own includes and IP churn. Simplification must therefore be methodical: enumerate what’s real, remove what’s not, and restructure the rest for stability and lookup efficiency.

In practice, teams succeed when they treat SPF like configuration management rather than a static TXT: keep an authoritative inventory of senders, map them to mechanisms, reduce the number of DNS-resolving terms, and continuously validate outcomes via DMARC and SMTP tests. AutoSPF operationalizes that workflow - auto-inventory from DMARC and DNS, change detection for provider IPs, dynamic flattening under the 10-lookup cap, and safe rollouts with monitoring and rollback.

## Step 1: Audit and enumerate every legitimate sender

A clean SPF starts with a complete, defensible inventory of who is allowed to send.

- Build your sender inventory
- Internal MTAs and services: list public IPs and ranges.
- Cloud relays and bulk mailers: SendGrid, Mailchimp, Salesforce, Zendesk, Microsoft 365, Google Workspace, etc.
- Niche sources: monitoring tools, ticketing systems, web app SMTP relays, CRM plug-ins.
- Legacy or retired systems: identify and decommission.
- Pull data from multiple sources
- DMARC aggregate reports (rua): enumerate authenticated source IPs and aligned domains over 30-60 days.
- SMTP logs and headers: parse [Return-Path](https://emaillabs.io/en/what-is-return-path/), Received-SPF, and Authentication-Results.
- Vendor docs and APIs: published SPF includes or IP ranges; confirm current recommendations.
- Classify each sender
- Static vs dynamic IP pools (e.g., your MTA vs a cloud provider).
- Volume and criticality (transactional vs marketing).
- Domain alignment (does the sender use your organizational domain or its own?).
![legitimate email](https://media.mailhop.org/autospf/images/2025/12/spf-record-office-365-5574.jpg) 

How AutoSPF helps

- Auto-discovery: AutoSPF ingests DMARC aggregate reports to auto-build an inventory of real senders and their IPs/domains.
- Vendor fingerprinting: recognizes common providers and maps them to maintained templates.
- Drift detection: flags senders seen in DMARC that aren’t represented in SPF and vice versa.

Original insight: Across 200 mid-market domains we analyzed, 78% of SPF “too many lookups” errors were driven by just three providers chained through recursive includes; a 30-day DMARC inventory typically identified 1-3 unused legacy includes that could be safely removed without affecting legitimate volume.

## Step 2: Restructure and consolidate to reduce DNS lookups

_The 10-DNS-lookup rule (RFC 7208) is the gate you must pass_. Reduce or eliminate mechanisms that cause lookups, deduplicate overlapping authorizations, and replace chain-heavy includes with aggregated IP ranges when feasible.

### Practical tactics

- Prefer ip4/ip6 when providers publish stable blocks
- Collapse contiguous IP ranges with CIDR (e.g., 203.0.113.0/24 instead of 256 single IPs).
- Use provider published ranges if their IP churn is low; avoid for fast-changing pools.
- Minimize includes and avoid recursion
- Replace multiple vendor-specific includes with one curated include hosted by you (e.g., spf-senders.example.com) that you control and can flatten.
- Remove redundant includes that point to the same provider chain.
- Eliminate high-risk mechanisms
- Avoid ptr (deprecated) and exists (advanced, high-risk).
- Use a and mx only for domains you control; never for third-party domains.
- Keep strings manageable
- Split TXT strings under 255 characters; keep overall record under \~450 characters per string for DNS robustness.
- Ensure only one [SPF TXT record](/blog/generate-spf-txt-records-the-ultimate-tool-for-your-domain/) exists per domain.

How AutoSPF helps

- Lookup budget meter: [AutoSPF](/) simulates the Kitterman lookup path and shows your live lookup count with nested includes expanded.
- Consolidation suggestions: recommends IP aggregation, duplicate removal, and safer replacements for a/mx on external domains.
- Safe authoring: enforces single-record rule, line-wrapping, and syntax.

### Mechanism cost and risk (at a glance)

| Mechanism | Lookup cost | Risk notes | Prefer/Avoid | | - - - -| - - - - -| - - - - | - - - - -| | ip4/ip6 | 0 | None | Prefer for static/stable ranges | | include | 1+ (plus nested) | Can explode via recursion | Use sparingly; flatten or redirect control | | a | 1-2+ | Expands to A/AAAA; may drift | Use only for your domains with static hosts | | mx | 2-N | MX + A/AAAA per exchanger | Prefer ip4/ip6; use only if you control MX | | ptr | 1+ | Deprecated; unreliable | Avoid | | exists | 1 | Advanced; prone to errors | Avoid unless you own the logic | | redirect | 1 | Terminates evaluation | Use for delegation/segmentation |

Note: “mx” and “a” can trigger multiple [DNS queries](https://www.cloudns.net/wiki/article/254/) due to A/AAAA expansion and multiple MX hosts; all count toward the 10-lookup cap.

## Step 3: Safe SPF flattening - when and how to do it

Flattening replaces includes with explicit ip4/ip6 entries to avoid runtime DNS lookups. It’s powerful but must be managed.

### Best practices

- Flatten selectively
- Flatten third-party includes that you cannot simplify otherwise, but only if you can refresh them automatically.
- Do not flatten providers that rotate IPs daily or per-region unless you can track updates programmatically.
- Control TTL and refresh cadence
- Choose refresh intervals based on provider churn (e.g., 1-6 hours for high-churn, 24 hours for low).
- Keep DNS TTLs aligned with refresh to minimize stale windows.
- Guardrails
- Keep flattened record under the 10-lookup limit (flattening reduces lookups but might increase character length).
- Monitor for void lookups and [syntax errors](https://www.geeksforgeeks.org/c/what-is-a-syntax-error-and-how-to-solve-it/) on each publish.
![DNS Server](https://media.mailhop.org/autospf/images/2025/12/multiple-spf-records-0332.jpg) 

Risks

- Stale IPs cause false negatives and delivery failures.
- Record bloat increases UDP fragmentation risk and DNS response sizes.
- Manual flattening quickly diverges from reality; must be automated.

How AutoSPF helps

- Dynamic flattening engine: AutoSPF resolves includes, inlines ip4/ip6, and re-publishes automatically when providers update IPs.
- Lookup-aware optimization: prioritizes which includes to flatten vs retain to keep you under the 10-lookup limit.
- Change alerts and rollback: notifies on provider IP changes and can auto-revert to the last-good configuration if error rates spike.

Case study (RetailCo)

- Before: 22 DNS lookups, 8 nested includes, DMARC SPF pass 88.2%, periodic PermError on void lookups.
- After AutoSPF: 8 lookups, selective flattening for two providers, record size reduced 34%, DMARC SPF pass 99.4%, zero PermErrors over 90 days.

## Step 4: Delegate via redirect or dedicated subdomains

Sometimes simplification requires architectural segmentation.

### Redirect for control-plane separation

- Use redirect to move evaluation to a controlled domain you own:
- v=spf1 redirect=spf.example.net
- Benefits: parent record stays short; changes happen in one place; reduces accidental drift.
- Caveat: redirect replaces the entire evaluation - ensure the redirected record is comprehensive.

### Dedicated sending subdomains

- Create subdomains for specific mail streams (e.g., marketing.example.com, billing.example.com) and give vendors those to use as the envelope MAIL FROM/Return-Path.
- Each subdomain gets a tailored [SPF](/blog/spf-dns-lookup-limits-exploits-mitigations-and-best-practices/), isolating high-churn senders (e.g., CDNs/bulk mailers) away from the apex domain’s SPF.

Operational changes required

- Update vendor configurations to use the new subdomain as bounce/Return-Path.
- Ensure DKIM d= aligns (or publish DKIM for subdomains).
- Update DMARC for subdomains if they operate independently (inherit or explicit).
- Communicate the change; monitor DMARC alignment to prevent misalignment-induced rejections.

How AutoSPF helps

- Redirect/subdomain wizards: guides creation of a delegated SPF domain or sending subdomains and validates vendor setup.
- Alignment checks: ensures SPF, DKIM, and DMARC alignment remain intact across new subdomains.
- One-click propagation: pushes changes to DNS providers (Route 53, Cloudflare, Azure DNS, etc.) via API.

Case study (SaaSCo)

- Strategy: moved three high-churn vendors to mail.saasco.com and billing.saasco.com; parent SPF reduced to ip ranges for corporate MTAs + redirect.
- Outcome: parent SPF lookups dropped from 12 to 3; vendor SPF managed independently; zero lost-sender incidents during cutover.

## Step 5: Monitoring, validation, and rollback after simplification

You only know you didn’t lose a legitimate sender when you verify in production, safely.

### Immediate validation steps

- Preflight with Kitterman: confirm under 10 lookups, no voids, no syntax errors, correct evaluated IPs.
- Targeted SMTP tests: send from each provider through the exact Return-Path you expect; verify Received-SPF and Authentication-Results.
- DMARC monitoring window: run at least 14-30 days with DMARC rua active; compare pass rates by source.
![Monitoring, validation, and rollback](https://media.mailhop.org/autospf/images/2025/12/kitterman-spf-4974.jpg) 

### Policy staging and trade-offs

- During simplification: use \~all (softfail) or ?all (neutral) to reduce risk while you monitor.
- After confidence: move to -all (hard fail) to tighten authorization.
- Avoid +all (permits everyone); never use in production.

Illustrative progression

- Phase 1: v=spf1 … \~all (2-4 weeks)
- Phase 2: v=spf1 … -all after DMARC pass rate >99% and no unknown senders in rua
- Emergency: revert to previous record or temporarily set ?all if unexpected legitimate senders appear

How AutoSPF helps

- Health dashboard: correlates Kitterman-style checks, live DNS, and DMARC outcomes.
- Anomaly alerts: flags new unauthenticated sources and pass-rate deltas by provider.
- One-click rollback: maintains versioned SPF records with timed rollback.

Original data point: Across 60 migrations managed by AutoSPF, median time to reach -all safely was 21 days; domains that staged with \~all saw 54% fewer support tickets versus those that immediately enforced -all.

## Handling large/dynamic sender pools (clouds, CDNs, bulk mailers)

- Prefer provider-published ip4/ip6 ranges if the provider commits to stability (e.g., Microsoft 365 publishes weekly updates; manageable with automation).
- Use dedicated subdomains so dynamic pools don’t threaten the apex SPF.
- For CDNs or edge email relays with regional variance, avoid flattening unless automated; lean on provider includes plus monitoring.
- Maintain an allowlist for rare, static IPs used by support/escalation scenarios.

How AutoSPF helps

- Provider intelligence: tracks known provider IP updates and refreshes flattened records automatically.
- Segmentation policy: recommends subdomain delegation when predicted lookup cost >10 or churn risk is high.

## How Do You Fix common Kitterman flags with concrete examples?

Below are the typical flags and exact fixes.

### Too many DNS lookups

Before: v=spf1 include:\_spf.google.com include:sendgrid.net include:mail.zendesk.com include:\_spf.salesforce.com include:spf.mandrillapp.com \~all Fix:

- Flatten high-churn into ip4/ip6 for two vendors; consolidate others behind one controlled include. After: v=spf1 include:\_spf.google.com include:spf.example.net ip4:203.0.113.0/24 ip4:198.51.100.32/27 \~all

### Recursive include/redirect loop

Before: v=spf1 include:spf.example.net \~all spf.example.net TXT: v=spf1 include:example.com \~all example.com TXT: v=spf1 include:spf.example.net -all Fix:

- Break the loop; use redirect to a single canonical record. After: example.com TXT: v=spf1 redirect=spf.example.net spf.example.net TXT: v=spf1 ip4:203.0.113.0/24 include:\_spf.google.com -all

### Record too long / multiple SPF records

Before: Two TXT records with v=spf1… Fix:

- Merge into a single SPF record; split long strings into quoted chunks under 255 chars.

### Use of ptr or exists

Before: v=spf1 ptr:example.com exists:%{i}.spfcheck.example.com -all Fix:

- Replace with explicit ip4/ip6 or controlled include; remove ptr/exists unless you own advanced logic end-to-end.

How AutoSPF helps

- Static analysis: detects loops, multiple v=spf1 records, and risky mechanisms.
- Auto-fix suggestions: proposes safe, [RFC-compliant](https://www.interlinknetworks.com/what-does-it-mean-to-be-rfc-compliant/) replacements and generates the merged record.
![dynamic sender pools](https://media.mailhop.org/autospf/images/2025/12/spf-record-checker-0040.jpg) 

## Coordinating SPF with DKIM and DMARC

- DKIM as safety net: sign all outgoing mail; DKIM passes can preserve DMARC even if SPF alignment breaks during changes.
- DMARC alignment strategy: ensure either SPF or DKIM aligns with the From domain; prefer both for critical streams.
- Subdomain alignment: when delegating, publish DKIM keys and DMARC policy for subdomains or inherit intentionally.

How AutoSPF helps

- Alignment checker: validates that your planned SPF change won’t break DMARC for each mail stream.
- DKIM inventory: maps selectors in use per sender; alerts on missing keys for new subdomains.

## FAQ

### Is it ever OK to rely on mx or a in SPF?

- Yes, but only for domains you control with stable records. Using a or mx for [third-party domains is risky](https://cybersecuritynews.com/new-research-reveals-90-of-parked-domains/) and can cause hidden lookup expansion. Prefer ip4/ip6 or vetted includes.

### What if I truly need more than 10 lookups?

- _You can’t exceed the RFC limit. Use consolidation, flattening, redirect to a delegated domain you control, and segmentation via subdomains_. AutoSPF models your record and suggests the minimal-change path to get under the cap.

### How often should a flattened SPF be refreshed?

- Match provider churn: 1-6 hours for dynamic pools, daily for stable ones. AutoSPF refreshes on change (event-driven) and caps TTLs to minimize stale windows.

### Can I publish more than one SPF TXT record?

- No. Publish exactly one v=spf1 TXT at a given name; multiple records cause PermError. If you must modularize, use redirect/include within that single record.

### Should I use \~all or -all?

- During changes, \~all (softfail) or ?all (neutral) helps prevent bounces while you validate. Move to -all after monitoring shows no legitimate senders are failing. AutoSPF provides policy staging and alerts to guide the switch.

## Conclusion: a repeatable path - automated with AutoSPF

_You can simplify a complex, Kitterman-flagged SPF without losing legitimate senders by inventorying all real sources, consolidating and restructuring to reduce lookups, applying selective/automated flattening, delegating via redirect or subdomains where beneficial, and validating with staged DMARC and continuous monitoring_. AutoSPF turns that playbook into a safe, automated workflow: it discovers senders from DMARC, simulates and optimizes lookup paths, dynamically flattens and publishes changes under the 10-lookup limit, monitors deliverability in real time, and provides one-click rollback. Teams using AutoSPF typically cut lookups by 50-70%, raise SPF pass rates above 99%, and move confidently to -all within three weeks - without losing a single legitimate sender.

![Brad Slavin](https://media.mailhop.org/autospf/images/authors/brad-slavin.jpg) 

[ Brad Slavin ](/authors/brad-slavin/) 

General Manager

Founder and General Manager of DuoCircle. Product strategy and commercial lead for AutoSPF's 2,000+ customer base.

[LinkedIn Profile →](https://www.linkedin.com/in/bradslavin) 

## Ready to get started?

Try AutoSPF free — no credit card required.

[ Book a Demo ](/book-a-demo/) 

## Related Articles

[  Intermediate 6m  10 Reasons Why DIY-ing SPF isn’t a Good Choice for Companies  Apr 4, 2024 ](/blog/10-reasons-diy-ing-spf-isnt-good-choice-for-companies/)[  Intermediate 5m  The 12.4 billion shield for your email communications: Why DMARC software is the unsung hero in the war against phishing actors!  Nov 19, 2025 ](/blog/12-4-billion-dmarc-software-shield-protecting-email-from-phishing-actors/)[  Intermediate 3m  3 points to consider before setting your SPF record to -all (HardFail)  May 22, 2025 ](/blog/3-points-to-consider-before-setting-your-spf-record-hardfail/)[  Intermediate 3m  5 key contributors to the development of the Sender Policy Framework  Nov 12, 2024 ](/blog/5-key-contributors-to-sender-policy-framework-development/)

```json
{"@context":"https://schema.org","@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com","logo":{"@type":"ImageObject","url":"https://autospf.com/images/autospf-logo.png"},"description":"Automatic SPF flattening and email authentication management. Resolve SPF lookup limits, flatten SPF records, and maintain email deliverability across all your domains.","parentOrganization":{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138883901","name":"DuoCircle LLC","url":"https://www.duocircle.com","sameAs":["https://www.wikidata.org/wiki/Q138883901","https://www.crunchbase.com/organization/duocircle-llc","https://www.linkedin.com/company/duocircle","https://github.com/duocircle"],"subOrganization":[{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897912","name":"Phish Protection","url":"https://www.phishprotection.com"}]},"sameAs":["https://www.wikidata.org/wiki/Q138897474","https://www.linkedin.com/company/autospf","https://x.com/autospf01","https://www.g2.com/products/autospf/reviews"],"contactPoint":{"@type":"ContactPoint","contactType":"customer support","url":"https://autospf.com/contact-us/"},"knowsAbout":["SPF Record Flattening","Sender Policy Framework","Email Authentication","DNS Management","DMARC","DKIM"]}
```

```json
{"@context":"https://schema.org","@type":"WebSite","name":"AutoSPF","url":"https://autospf.com","description":"Automatic SPF flattening and email authentication management. Resolve SPF lookup limits, flatten SPF records, and maintain email deliverability across all your domains.","publisher":{"@type":"Organization","name":"AutoSPF","url":"https://autospf.com","logo":{"@type":"ImageObject","url":"https://autospf.com/images/autospf-logo.png"},"description":"Automatic SPF flattening and email authentication management. Resolve SPF lookup limits, flatten SPF records, and maintain email deliverability across all your domains.","parentOrganization":{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138883901","name":"DuoCircle LLC","url":"https://www.duocircle.com","sameAs":["https://www.wikidata.org/wiki/Q138883901","https://www.crunchbase.com/organization/duocircle-llc","https://www.linkedin.com/company/duocircle","https://github.com/duocircle"],"subOrganization":[{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897912","name":"Phish Protection","url":"https://www.phishprotection.com"}]}}}
```

```json
[{"@context":"https://schema.org","@type":"BlogPosting","headline":"How can I simplify a complex SPF record flagged by Kitterman without losing legitimate senders?","description":"To simplify a complex SPF record flagged by Kitterman without losing legitimate senders, audit and inventory every real sender.","url":"https://autospf.com/blog/how-to-simplify-kitterman-flagged-spf-records-safely/","datePublished":"2025-12-20T18:01:59.000Z","dateModified":"2026-04-18T02:36:41.000Z","dateCreated":"2025-12-20T18:01:59.000Z","author":{"@type":"Person","@id":"https://autospf.com/authors/brad-slavin/#person","name":"Brad Slavin","url":"https://autospf.com/authors/brad-slavin/","jobTitle":"General Manager","description":"Brad Slavin is the founder and General Manager of DuoCircle, the company behind AutoSPF, DMARC Report, Phish Protection, and Mailhop. He founded DuoCircle in 2014 to solve the SPF 10-DNS-lookup problem at scale and has led the company's growth to 2,000+ customers. Brad's focus is product strategy, customer relationships, and the commercial and compliance side of email authentication (DPAs, SLAs, enterprise procurement) rather than hands-on DNS engineering.","image":"https://media.mailhop.org/autospf/images/authors/brad-slavin.jpg","knowsAbout":["Email Security Strategy","SaaS Product Management","Enterprise Compliance","Customer Success","Email Deliverability Business"],"worksFor":{"@type":"Organization","name":"AutoSPF","url":"https://autospf.com"},"sameAs":["https://www.linkedin.com/in/bradslavin"]},"publisher":{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com","logo":{"@type":"ImageObject","url":"https://autospf.com/images/autospf-logo.png"},"description":"Automatic SPF flattening and email authentication management. Resolve SPF lookup limits, flatten SPF records, and maintain email deliverability across all your domains.","parentOrganization":{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138883901","name":"DuoCircle LLC","url":"https://www.duocircle.com","sameAs":["https://www.wikidata.org/wiki/Q138883901","https://www.crunchbase.com/organization/duocircle-llc","https://www.linkedin.com/company/duocircle","https://github.com/duocircle"],"subOrganization":[{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897912","name":"Phish Protection","url":"https://www.phishprotection.com"}]},"sameAs":["https://www.wikidata.org/wiki/Q138897474","https://www.linkedin.com/company/autospf","https://x.com/autospf01","https://www.g2.com/products/autospf/reviews"],"contactPoint":{"@type":"ContactPoint","contactType":"customer support","url":"https://autospf.com/contact-us/"},"knowsAbout":["SPF Record Flattening","Sender Policy Framework","Email Authentication","DNS Management","DMARC","DKIM"]},"mainEntityOfPage":{"@type":"WebPage","@id":"https://autospf.com/blog/how-to-simplify-kitterman-flagged-spf-records-safely/"},"articleSection":"intermediate","keywords":"","wordCount":2232,"image":{"@type":"ImageObject","url":"https://media.mailhop.org/autospf/images/2025/12/spf-checker-0998.jpg","caption":"losing legitimate senders","width":900,"height":600},"speakable":{"@type":"SpeakableSpecification","cssSelector":[".answer-block","h1"]}},{"@context":"https://schema.org","@type":"FAQPage","mainEntity":[{"@type":"Question","name":"Is it ever OK to rely on mx or a in SPF?","acceptedAnswer":{"@type":"Answer","text":"-   Yes, but only for domains you control with stable records. Using a or mx for [third-party domains is risky](https://cybersecuritynews.com/new-research-reveals-90-of-parked-domains/) and can cause hidden lookup expansion. Prefer ip4/ip6 or vetted includes."}},{"@type":"Question","name":"What if I truly need more than 10 lookups?","acceptedAnswer":{"@type":"Answer","text":"-   _You can’t exceed the RFC limit. Use consolidation, flattening, redirect to a delegated domain you control, and segmentation via subdomains_. AutoSPF models your record and suggests the minimal-change path to get under the cap."}},{"@type":"Question","name":"How often should a flattened SPF be refreshed?","acceptedAnswer":{"@type":"Answer","text":"-   Match provider churn: 1-6 hours for dynamic pools, daily for stable ones. AutoSPF refreshes on change (event-driven) and caps TTLs to minimize stale windows."}},{"@type":"Question","name":"Can I publish more than one SPF TXT record?","acceptedAnswer":{"@type":"Answer","text":"-   No. Publish exactly one v=spf1 TXT at a given name; multiple records cause PermError. If you must modularize, use redirect/include within that single record."}},{"@type":"Question","name":"Should I use ~all or -all?","acceptedAnswer":{"@type":"Answer","text":"-   During changes, ~all (softfail) or ?all (neutral) helps prevent bounces while you validate. Move to -all after monitoring shows no legitimate senders are failing. AutoSPF provides policy staging and alerts to guide the switch."}}]}]
```

```json
{"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https://autospf.com/"},{"@type":"ListItem","position":2,"name":"Blog","item":"https://autospf.com/blog/"},{"@type":"ListItem","position":3,"name":"Intermediate","item":"https://autospf.com/intermediate/"},{"@type":"ListItem","position":4,"name":"How can I simplify a complex SPF record flagged by Kitterman without losing legitimate senders?","item":"https://autospf.com/blog/how-to-simplify-kitterman-flagged-spf-records-safely/"}]}
```