The 10-lookup ceiling
SPF allows a maximum of 10 DNS lookups per evaluation. Each include: — and the includes nested inside it — counts against that budget.
DMARC/25 SPF replaces a tangle of include: mechanisms with a single macro record that resolves every sender dynamically — so authentication never breaks as you grow.
One DNS change. Zero ongoing maintenance. Works with any provider.
v=spf1 include:%{ir}.%{v}.%{l}.%{d}._spf.a1l.com -all
Resolves every major sender from a single lookup
Every SaaS tool you add to send mail consumes part of a fixed budget. Cross the line and authentication silently breaks — taking DMARC down with it.
SPF allows a maximum of 10 DNS lookups per evaluation. Each include: — and the includes nested inside it — counts against that budget.
Exceed the limit and receivers return permerror. Legitimate mail is treated as unauthenticated — no bounce, no warning, just lost trust.
Vendors change their IP ranges without notice. Keeping a hand-built SPF record correct is a recurring, error-prone chore for your team.
When SPF can’t be evaluated, inbox providers downgrade or quarantine your mail — eroding the campaigns and transactional flows you depend on.
DMARC depends on SPF or DKIM alignment. A broken SPF record undermines the very anti-spoofing posture you set out to build.
“SPF flattening” that hard-codes IPs into one record breaks the moment a provider rotates ranges — trading one fragile record for another.
Instead of listing senders, you delegate to a single record. At query time, the sending IP is encoded into the hostname — and our authoritative DNS answers for that exact connection.
in-addr for IPv4 or ip6 — so both address families resolve.A normal SPF record asks receivers to walk a tree of nested includes — each one a DNS lookup. The macro record flips that around.
When a receiver evaluates your SPF, it substitutes the live connection details into the hostname and makes a single query to _spf.a1l.com. Our authoritative DNS already knows every legitimate sender’s ranges and answers pass or fail for that one IP — in one lookup.
Add a new vendor, and we update the source of truth centrally. Your published record never changes, and you never touch DNS again.
Register the domains you send from. We profile your current senders and flag where you’re already over the limit.
Replace your SPF record with the single macro record. It’s the only DNS change you’ll ever make.
We keep sender ranges current behind the record. SPF passes, DMARC aligns, and deliverability holds — automatically.
One record points SPF at us. From then on, every sender is a reviewed, scoped, expiring permission — owned by the domain owner, requested by the sender, and recorded forever. No more emailing IP ranges around and hand-editing DNS.
An ESP, internal team, CRM, or agency asks to send; the domain owner approves the exact sources, mail streams, and time window. A sender can never approve itself onto your domain.
High-risk changes require a second approver and a fresh passkey check. Every request shows its plain-language blast radius — “authorizes 3 ranges to send as billing@ until Sep 1” — before anyone clicks approve.
Each authorization is bound to a domain, source, mail stream, and expiry date. Campaign and vendor permissions clean themselves up when the window ends — nothing lingers by accident.
Fits a solo sender or a global bank: split a domain owner into business units, delegate to an agency or MSP, and give each person exactly the role they need — one sign-in, many hats.
An on-call responder can suspend, revoke, or roll back in seconds — and the product tells the honest truth about when it takes effect at receivers, down to the cache-expiry second.
Prefer the classic “the ESP sends me the records and I apply them” habit? The domain owner can set sources up on a sender’s behalf. Prefer self-serve? The sender does it. The approval step is the same either way.
Authentication you can’t see is authentication you can’t trust. Send a test, seed a campaign, or replay any real connection — and get a straight answer, plus an alert the instant a live send starts failing.
Send a message to your private test address and get a full scorecard back — SPF, DKIM, DMARC, ARC, and TLS — with a plain “here’s what to fix” for anything short of green.
Drop a seed address into any campaign and watch every send get scored over time. If a blast starts failing authentication, subscribers get an alert — because a broken campaign is measured in minutes, not days.
Enter a domain, sender address, and IP — the simulator shows pass or fail, which authorization matched, the exact macro expansion, and the deployment version in effect. Ideal for pre-flighting a change or answering “why did this bounce?”
We baseline the query volume behind every record. Approve a small campaign but see a massive one? A new IP appears, or fail-ratios climb? An anomaly opens and the right people hear about it — before it becomes an incident.
Everything you need to keep SPF correct at scale — backed by TwoFive’s deliverability engineering.
We track IP-range changes across every major provider and apply them centrally — your record is correct the moment a vendor rotates ranges.
See which senders are querying, from which IPs, and how often — with pass/fail breakdowns to spot misconfigured or unexpected sources.
Before you publish, we simulate the record against your real sending IPs and confirm SPF, DKIM, and DMARC all line up.
Manage SPF for every domain and subdomain from one console, with per-domain policy and role-based access for your team.
Macro queries are answered from an anycast network engineered for sub-10ms response — SPF evaluation never becomes the bottleneck.
Backed by the deliverability specialists behind DMARC/25 Analyze — the same team trusted by Japan’s largest senders.
Pick your senders and streams — we generate the exact TXT, check your live record, catch a weak ~all or duplicate SPF, count your remaining lookups, and walk you from “publish this” to a verified green. Expert paste mode is one switch away.
Paste your current SPF record. We parse every include, count how close you are to the 10-lookup wall, flag stale flattening, name your current vendors, and lay out the path to one clean macro record.
Every change compiles to a validated, versioned artifact and ships to each DNS node independently. You always see “version N live on 3 of 3 nodes” — and a partial rollout is shown loudly, never hidden.
Sign in with LinkedIn, Google, Microsoft, or your company SSO — we never store a password. Passkeys and security keys protect every account, and AI agents authenticate with hardware-anchored keys and sign the changes they propose.
A bank turns everything up — forced strong factors, tight approver quorums, login IP allow-lists; a solo sender keeps it light. You choose the posture from a preset and adjust any control, instead of us deciding for you.
Every request, approval, change, and revoke lands in a hash-chained timeline you can export for regulators — a complete, verifiable history of who did what to your sending, and when.
DMARC/25 SPF sits in the critical path of your mail. It’s engineered to be invisible — correct, fast, and always on.
Sender ranges are verified against provider-published data — never guessed, never stale.
No single point of failure. Queries resolve at the nearest edge with automatic failover.
Your published record is immutable. Updates happen behind it, so a vendor change can never break your DNS.
Pure RFC 7208 SPF macros — no proprietary resolver, no lock-in. Works with every compliant receiver.
Sign-in is delegated to LinkedIn, Google, Microsoft, or your own SSO. We store no password, so there is none to leak — and a borrowed social login alone can never change your SPF.
Passkeys and security keys guard every account, and sensitive changes demand a fresh check — even for someone already signed in.
We answer SPF at the edge; we never touch your mail. If the console is down for maintenance, delivery keeps flowing — only management changes pause.
DNS lookup — no matter how many senders
Create an account, point one TXT record at us, and watch authentication hold steady — no matter how many senders you add next quarter.
We’ll email your SPF analysis to you shortly.