NEW Dynamic SPF — one record, unlimited senders

Beat the SPF 10-lookup limit, for good.

DMARC/25 SPF replaces a tangle of include: mechanisms with a single macro record that resolves every sender dynamically — so authentication never breaks as you grow.

One DNS change. Zero ongoing maintenance. Works with any provider.

_spf.yourdomain.com LIVE
Before — manual includes
include:_spf.google.com
include:spf.protection.outlook.com
include:sendgrid.net
include:_spf.salesforce.com — lookup 11
PermError: too many DNS lookups
DMARC/25 SPF
After — one dynamic record
v=spf1 include:%{ir}.%{v}.%{l}.%{d}._spf.a1l.com -all

Resolves every major sender from a single lookup

Google Workspace Microsoft 365 SendGrid Salesforce Mailchimp Amazon SES Zendesk
10
Hard DNS-lookup limit SPF imposes — the cause of most failures
1
Lookup your record needs, no matter how many senders you add
5min
From signup to a live, validated record in your DNS
0
Manual SPF edits once the macro record is in place
The Problem

SPF wasn’t built for the modern sending stack.

Every SaaS tool you add to send mail consumes part of a fixed budget. Cross the line and authentication silently breaks — taking DMARC down with it.

The 10-lookup ceiling

SPF allows a maximum of 10 DNS lookups per evaluation. Each include: — and the includes nested inside it — counts against that budget.

Silent PermError

Exceed the limit and receivers return permerror. Legitimate mail is treated as unauthenticated — no bounce, no warning, just lost trust.

Endless maintenance

Vendors change their IP ranges without notice. Keeping a hand-built SPF record correct is a recurring, error-prone chore for your team.

Deliverability hits

When SPF can’t be evaluated, inbox providers downgrade or quarantine your mail — eroding the campaigns and transactional flows you depend on.

DMARC fails too

DMARC depends on SPF or DKIM alignment. A broken SPF record undermines the very anti-spoofing posture you set out to build.

Flattening goes stale

“SPF flattening” that hard-codes IPs into one record breaks the moment a provider rotates ranges — trading one fragile record for another.

How It Works

One macro record does the lookups for you.

Instead of listing senders, you delegate to a single record. At query time, the sending IP is encoded into the hostname — and our authoritative DNS answers for that exact connection.

TXT _spf.yourdomain.com
v=spf1 include:%{ir}.%{v}.%{l}.%{d}._spf.a1l.com -all
%{ir}Reversed sending IPThe connecting server’s IP, reversed and dot-separated for the DNS query.
%{v}IP versionExpands to in-addr for IPv4 or ip6 — so both address families resolve.
%{l}Local partThe local-part of the envelope sender, available for fine-grained policy.
%{d}Current domainYour domain — scoping the answer so it’s always specific to you.

Why it never hits the limit

A normal SPF record asks receivers to walk a tree of nested includes — each one a DNS lookup. The macro record flips that around.

When a receiver evaluates your SPF, it substitutes the live connection details into the hostname and makes a single query to _spf.a1l.com. Our authoritative DNS already knows every legitimate sender’s ranges and answers pass or fail for that one IP — in one lookup.

Add a new vendor, and we update the source of truth centrally. Your published record never changes, and you never touch DNS again.

Add your domain

Register the domains you send from. We profile your current senders and flag where you’re already over the limit.

Publish one TXT record

Replace your SPF record with the single macro record. It’s the only DNS change you’ll ever make.

Stay authenticated

We keep sender ranges current behind the record. SPF passes, DMARC aligns, and deliverability holds — automatically.

Control

Decide who may send — with approvals, not spreadsheets.

One record points SPF at us. From then on, every sender is a reviewed, scoped, expiring permission — owned by the domain owner, requested by the sender, and recorded forever. No more emailing IP ranges around and hand-editing DNS.

Senders request, owners approve

An ESP, internal team, CRM, or agency asks to send; the domain owner approves the exact sources, mail streams, and time window. A sender can never approve itself onto your domain.

Dual control & step-up

High-risk changes require a second approver and a fresh passkey check. Every request shows its plain-language blast radius — “authorizes 3 ranges to send as billing@ until Sep 1” — before anyone clicks approve.

Scoped & self-expiring

Each authorization is bound to a domain, source, mail stream, and expiry date. Campaign and vendor permissions clean themselves up when the window ends — nothing lingers by accident.

Roles, business units & partners

Fits a solo sender or a global bank: split a domain owner into business units, delegate to an agency or MSP, and give each person exactly the role they need — one sign-in, many hats.

Break-glass revoke & rollback

An on-call responder can suspend, revoke, or roll back in seconds — and the product tells the honest truth about when it takes effect at receivers, down to the cache-expiry second.

Either side can drive it

Prefer the classic “the ESP sends me the records and I apply them” habit? The domain owner can set sources up on a sender’s behalf. Prefer self-serve? The sender does it. The approval step is the same either way.

Measure

Prove it works — and know the moment it breaks.

Authentication you can’t see is authentication you can’t trust. Send a test, seed a campaign, or replay any real connection — and get a straight answer, plus an alert the instant a live send starts failing.

One-click setup test

Send a message to your private test address and get a full scorecard back — SPF, DKIM, DMARC, ARC, and TLS — with a plain “here’s what to fix” for anything short of green.

Campaign seed monitoring

Drop a seed address into any campaign and watch every send get scored over time. If a blast starts failing authentication, subscribers get an alert — because a broken campaign is measured in minutes, not days.

Explain any result

Enter a domain, sender address, and IP — the simulator shows pass or fail, which authorization matched, the exact macro expansion, and the deployment version in effect. Ideal for pre-flighting a change or answering “why did this bounce?”

Traffic & anomaly alerts

We baseline the query volume behind every record. Approve a small campaign but see a massive one? A new IP appears, or fail-ratios climb? An anomaly opens and the right people hear about it — before it becomes an incident.

Features

Built for teams that take email seriously.

Everything you need to keep SPF correct at scale — backed by TwoFive’s deliverability engineering.

Always-current sender data

We track IP-range changes across every major provider and apply them centrally — your record is correct the moment a vendor rotates ranges.

Live lookup analytics

See which senders are querying, from which IPs, and how often — with pass/fail breakdowns to spot misconfigured or unexpected sources.

Validation & preflight

Before you publish, we simulate the record against your real sending IPs and confirm SPF, DKIM, and DMARC all line up.

Multi-domain management

Manage SPF for every domain and subdomain from one console, with per-domain policy and role-based access for your team.

Global anycast DNS

Macro queries are answered from an anycast network engineered for sub-10ms response — SPF evaluation never becomes the bottleneck.

Expert support included

Backed by the deliverability specialists behind DMARC/25 Analyze — the same team trusted by Japan’s largest senders.

Guided record builder

Pick your senders and streams — we generate the exact TXT, check your live record, catch a weak ~all or duplicate SPF, count your remaining lookups, and walk you from “publish this” to a verified green. Expert paste mode is one switch away.

Import & migrate in minutes

Paste your current SPF record. We parse every include, count how close you are to the 10-lookup wall, flag stale flattening, name your current vendors, and lay out the path to one clean macro record.

Versioned, multi-node deploys

Every change compiles to a validated, versioned artifact and ships to each DNS node independently. You always see “version N live on 3 of 3 nodes” — and a partial rollout is shown loudly, never hidden.

No passwords, phishing-resistant

Sign in with LinkedIn, Google, Microsoft, or your company SSO — we never store a password. Passkeys and security keys protect every account, and AI agents authenticate with hardware-anchored keys and sign the changes they propose.

Security you dial in

A bank turns everything up — forced strong factors, tight approver quorums, login IP allow-lists; a solo sender keeps it light. You choose the posture from a preset and adjust any control, instead of us deciding for you.

Tamper-evident audit

Every request, approval, change, and revoke lands in a hash-chained timeline you can export for regulators — a complete, verifiable history of who did what to your sending, and when.

Security & Reliability

Authentication you can build a policy on.

DMARC/25 SPF sits in the critical path of your mail. It’s engineered to be invisible — correct, fast, and always on.

Authoritative source of truth

Sender ranges are verified against provider-published data — never guessed, never stale.

Anycast, globally redundant

No single point of failure. Queries resolve at the nearest edge with automatic failover.

Change-safe by design

Your published record is immutable. Updates happen behind it, so a vendor change can never break your DNS.

Standards-compliant

Pure RFC 7208 SPF macros — no proprietary resolver, no lock-in. Works with every compliant receiver.

No password to steal

Sign-in is delegated to LinkedIn, Google, Microsoft, or your own SSO. We store no password, so there is none to leak — and a borrowed social login alone can never change your SPF.

Phishing-resistant by design

Passkeys and security keys guard every account, and sensitive changes demand a fresh check — even for someone already signed in.

Never in the message path

We answer SPF at the edge; we never touch your mail. If the console is down for maintenance, delivery keeps flowing — only management changes pause.

1

DNS lookup — no matter how many senders

Resolver regionsUS + EU
RedundancyMulti-node, auto-failover
Sender-range refreshOperator-pushed
Record formatRFC 7208 macros
DNSSECSigned
Get Started

Fix your SPF in an afternoon.

Create an account, point one TXT record at us, and watch authentication hold steady — no matter how many senders you add next quarter.