Why does /audit return in ~3 seconds?

We read DNS and key email header fields only, use parallel resolvers with 2s timeouts, and return structured results with suggestions.

What is Proof‑of‑Scan?

We hash canonical JSON (sha256) and provide a Verify endpoint to recompute via multiple public DNS resolvers and compare hashes.

Do you store email bodies?

No. We never store bodies. We parse headers only, delete .eml right after parsing, and keep PDF/JSON for evidence.

Why is there a 10‑lookup limit?

To prevent denial‑of‑service via excessive DNS queries; per RFC7208 a receiver may stop after 10.

What counts as a lookup?

Mechanisms that trigger DNS queries include include, a, mx, ptr, exists, redirect; ip4/ip6/all do not.

How to verify the fix?

Run the audit, produce PDF evidence, and use Verify to re‑compute from multiple resolvers; hashes should match.

SPF lookups ≤ 10: diagnosis & flattening

When SPF chains exceed 10 DNS lookups, receivers may stop evaluation and your mail fails alignment inconsistently. Here is a practical way to diagnose and flatten includes safely.

Audit & verify

Why it happens

Every include:, a, mx, ptr, exists can trigger lookups. Deep include chains and vendor bundles frequently push you over the limit.

Three‑step fix

Map the include chain and count lookups (aim ≤ 8 to leave headroom).
Flatten vendor ranges into ip4:/ip6: where stable; avoid nesting includes whose content you do not control.
Stage in a subdomain and switch gradually; monitor DMARC alignment and complaint rate.

# Example: flatten includes
v=spf1 ip4:203.0.113.0/24 ip4:198.51.100.0/24 include:_spf.mailvendor.com -all
# After vendor flattening
v=spf1 ip4:203.0.113.0/24 ip4:198.51.100.0/24 ip4:192.0.2.0/24 -all

Validate each step

Re‑run the audit; confirm lookups ≤10 and recursion depth ≤3.
Produce a PDF pack; store scanId/sha256 with your change ticket.
Use /api/verify to recompute via public resolvers for an independent match.

Common pitfalls

Flattening too aggressively and missing vendor IP updates—automate sync.
Leaving duplicate SPF TXT records—receivers may pick the wrong one.
Using ptr or exists unnecessarily—adds lookups without value.

Automation template

Keep a controlled zone (e.g. _spf.vendor.example.com) where a nightly job fetches vendor ranges and writes flattened TXT. Your primary SPF then includes only this controlled record. Changes remain under your history and review.

CTA: Sample PDF · Start daily monitoring (alerts & white‑label PDF)