Docs / Publish your SPF record

Publish your SPF record

Learn how to publish the UglyDMARC SPF include and eliminate the RFC 7208 10-lookup limit without adding complexity.

The UglyDMARC SPF include

UglyDMARC solves the SPF 10-lookup limit with a single include that your domain publishes:

include:%{ir}.%{v}.%{d}.spf.uglydmarc.com

This include uses SPF macros, which the sending mail server's resolver expands when it looks up your SPF record:

  • %{ir} expands to the sender's IP address in reversed octets (e.g., 4.3.2.1 for sender IP 1.2.3.4)
  • %{v} expands to the IP version (in-addr for IPv4, ip6 for IPv6)
  • %{d} expands to your domain name

The resolver queries UglyDMARC's authoritative DNS, which has pre-flattened your entire vendor/include tree into a cached CIDR set. UglyDMARC answers with a minimal, per-IP response:

  • If the sender's IP is in your authorized set: v=spf1 ip4:<sender-ip> -all
  • If the sender's IP is not authorized: v=spf1 -all (fail)

This means that no matter how many vendors you add (Google, Microsoft 365, SendGrid, Mailgun, AWS SES, etc.), the receiver only ever sees one include and a single-IP response. You never hit the 10-lookup limit again.

Publishing the include

You must add the UglyDMARC include to your domain's SPF record.

If you already have an SPF record

Edit your existing SPF record and add the include alongside your other mechanisms. For example:

v=spf1 include:%{ir}.%{v}.%{d}.spf.uglydmarc.com include:sendgrid.net -all

One record per domain

DNS allows only one SPF record (TXT) per domain. Never create a second SPF record; this causes failures. Always merge the UglyDMARC include into your existing SPF, not alongside it.

If you don't have an SPF record yet

Create a new SPF record with:

v=spf1 include:%{ir}.%{v}.%{d}.spf.uglydmarc.com -all

The -all (fail) at the end is standard and means any IP not matched by your mechanisms is rejected.

Verifying publication

After you've published the SPF record, verify that it's live using dig or nslookup:

# Check your SPF record (command works on macOS, Linux, Windows with WSL)
dig example.com TXT

You should see output like:

; example.com. IN TXT
"v=spf1 include:%{ir}.%{v}.%{d}.spf.uglydmarc.com -all"

If the record doesn't appear, wait a few minutes for DNS propagation and try again.

On Windows (without WSL): use nslookup example.com TXT instead.

Configuring DMARC reports

While you're updating DNS, also publish (or update) your DMARC record so that receiving mail servers send reports to UglyDMARC. Create a _dmarc TXT record with:

v=DMARC1; p=none; rua=mailto:rua@reports.uglydmarc.com

Replace p=none with p=quarantine or p=reject once all your legitimate senders are passing SPF/DKIM alignment (see Reading DMARC reports for guidance).

FAQ

What if I have other includes or mechanisms in my SPF?
The UglyDMARC include is compatible with standard SPF mechanisms. You can keep include:sendgrid.net, include:mandrillapp.com, and others. However, keep your include count below 10 (the limit applies to the whole SPF chain, not just UglyDMARC).

Do I need to update my SPF every time I add a new vendor?
No. UglyDMARC automatically detects changes to your domain configuration and rebuilds its CIDR set in the background. Just add the new vendor's IPs to your UglyDMARC console, and the SPF synthesis updates within seconds.

Does UglyDMARC sign DKIM?
No. UglyDMARC synthesizes SPF only. For DKIM, you manage your domain's DKIM keys and signing as usual.

What about IPv6?
The UglyDMARC include works for both IPv4 and IPv6 via the %{v} macro. Your authorized sender set can include both IPv4 and IPv6 CIDR ranges.