When an IT ecosystem requires multiple heavy CRM and marketing platforms, AutoSPF provides the infrastructure to keep them all authenticated without hitting the dreaded PermError. This guide covers how to audit your current DNS footprint, configure the Salesforce return path for proper alignment, swap your bloated SPF record for a single managed AutoSPF include, and bypass the rigid domain-verification checks that HubSpot and Salesforce run during initial setup. By moving to a flattened architecture, you eliminate the RFC 7208 10-lookup limit while maintaining DMARC compliance across your entire enterprise stack.
Assess the CRM lookup footprint
Adding a single marketing tool often feels like a minor DNS update, but the underlying cost is deceptive. The Sender Policy Framework (SPF) is governed by a strict limit of 10 DNS lookups per evaluation. When you add an include statement to your TXT record, you are not just adding one item to a list; you are often triggering a recursive chain of secondary and tertiary lookups that the receiving mail server must resolve before it can validate your email.
In a typical enterprise environment, the lookup budget is consumed rapidly. If your organization uses Microsoft 365 or Google Workspace as its primary mail provider, you have already used approximately 2 to 4 lookups just for your day-to-day communication. When you layer on specialized sales and marketing tools, you quickly breach the limit. According to our CRM DNS footprint comparison, combining just two major platforms can push even a lean DNS record into a failing state.
| Platform | Typical DNS Lookup Cost | Notes |
|---|---|---|
| Microsoft 365 | 1–2 | Base includes for Outlook and Protection |
| Google Workspace | 3–4 | Includes multiple nested lookups for global infrastructure |
| Salesforce | 1–2 | Standard include:_spf.salesforce.com |
| HubSpot | 2–3 | Varies based on dedicated vs. shared IP settings |
| Zendesk | 1 | Standard include for support ticketing |
The "nested" nature of these lookups is where most IT administrators get caught off guard. You might see only five include statements in your TXT record and assume you are safe. However, if the Salesforce include contains its own nested includes, and the HubSpot include does the same, the receiving server will count every single one of those hops. If the total hits 11, the server returns a PermError, and your SPF record effectively ceases to exist for that transaction. This is the primary reason why an automated SPF flattening service is required for modern tech stacks.
Adjust Salesforce bounce management for proper alignment
Setting up Salesforce requires more than just adding an include to your DNS. Even if your SPF record is technically valid and under the 10-lookup limit, your emails might still fail DMARC checks due to a lack of alignment. By default, Salesforce uses its own domain in the envelope Return-Path address. This allows Salesforce to handle bounce management on your behalf, but it creates a mismatch between the "Header From" (your domain) and the "Envelope From" (Salesforce's domain).
When these domains do not match, the email is not "aligned." For DMARC to pass via SPF, the domains must align. To fix this, you must change how Salesforce handles outbound mail to ensure it uses your domain for the return path. This process is detailed in the AutoSPF guide on Setting SPF and DKIM for Salesforce.
The Return-Path problem
The Return-Path is the hidden address where bounce notifications are sent. If this address remains set to a Salesforce-owned domain, receiving servers check your SPF record against Salesforce's IPs and see a pass for Salesforce, but because the domain doesn't match your company's domain in the visible "From" field, DMARC ignores the SPF pass. This leaves your deliverability entirely dependent on DKIM, which is a risky "single point of failure" for enterprise email.
Disabling default bounce management
To force Salesforce to use your domain and achieve SPF alignment, you must modify the deliverability settings within the Salesforce administrative console. This requires a trade-off: you will gain DMARC alignment, but you will need to handle bounce notifications manually or through a different automated system, as Salesforce will no longer intercept them.
Navigate to Setup > Email Administration > Deliverability. You must uncheck two specific boxes:
- Activate Bounce Management: This stops Salesforce from rewriting the return address to its own bounce-tracking domain.
- Enable compliance with standard email security mechanisms: This setting, despite its name, often interferes with custom SPF/DKIM setups by forcing Salesforce's default envelope headers.
Once these are unchecked and saved, Salesforce will send mail using your domain in the envelope. When the receiving server checks your AutoSPF managed record, it will find a match for both the IP and the domain, satisfying the DMARC alignment requirement.
Deploy the flattened AutoSPF replacement
Once you have identified all your sending sources—Salesforce, HubSpot, your primary mail server, and perhaps a transactional service like SendGrid—you can use AutoSPF to consolidate them. The transition from a bloated, failing record to a flattened record takes place in the AutoSPF dashboard. You provide the list of your current include mechanisms, and the engine begins a recursive resolution process.
AutoSPF doesn't just list the IPs; it performs a deep resolution of every nested include in your stack. It identifies every IPv4 and IPv6 range authorized by your vendors, de-duplicates them to prevent record bloat, and optimizes the netblocks. The result is a single, clean include: v=spf1 include:_spf.autospf.com ~all. This single record replaces your entire messy TXT entry at your domain provider (e.g., GoDaddy, Cloudflare, or AWS Route 53).
Real-time monitoring and rescanning
A major risk of manual SPF flattening—where an admin manually resolves IPs and pastes them into DNS—is that vendors like Salesforce or HubSpot change their IP ranges frequently. If Salesforce adds a new data center and you are using a static list of IPs, your emails will start failing SPF checks immediately.
AutoSPF mitigates this by rescanning your vendor records every 15 minutes. When a change is detected in the upstream records of any of your authorized senders, the platform updates your flattened record automatically. This "hands-free" management ensures that you never have to manually update your DNS when a vendor scales their infrastructure. This infrastructure is served via Cloudflare with a 99.99% uptime SLA, ensuring that your SPF record is always available to receiving mail servers.
Avoiding the multiple record trap
A common mistake when adding a new tool like HubSpot is creating a second SPF TXT record for the same domain. This is an immediate path to failure. The SPF specification clearly states that a domain can have only one SPF record. If a receiving server finds two records, it will return a "PermError" and reject both. You must merge all authorized senders into the single AutoSPF include. This consolidation is a core feature of the SPF flattening service, allowing you to manage complex stacks without risking the integrity of your DNS zone file.
Clear the shallow validation checks during CRM setup
One of the most frustrating parts of deploying a new CRM is the "Domain Not Verified" error in the platform's dashboard. Even when your SPF record is technically perfect and resolving correctly, HubSpot and Salesforce may flag your domain as unverified. This happens because these platforms often use "shallow validation"—a simple string search that looks for their specific include statement in your public DNS.
Since AutoSPF has replaced include:_spf.hubspotemail.net with a flattened IP list (or a single managed include), the CRM's automated checker doesn't see the text it's looking for. It assumes the record is missing, even though the mail servers will validate the SPF correctly. We have analyzed this specific friction point in our guide on Why HubSpot and Salesforce integrations break your SPF record.
Why shallow validation fails
Shallow validation is a shortcut used by SaaS providers to confirm you have followed their setup instructions. They aren't performing a full SPF check; they are performing a regex match on your TXT record. When you use an advanced architecture like AutoSPF, you are "too smart" for their basic checker. This is a known issue with Microsoft 365, Zoho, and various other platforms that prioritize ease of use over technical depth.
The manual verification request
When you encounter this, do not revert your SPF flattening. Reverting would put you back over the 10-lookup limit, causing real deliverability failures just to satisfy a dashboard light. Instead, you should contact the vendor's support team. Most enterprise-grade CRMs have a protocol for this. You can find the exact script to use in the AutoSPF support documentation for SPF Not Validating At My Service Provider.
Explain to the support representative that you use SPF flattening to remain compliant with RFC 7208 and that your record resolves the necessary IPs for their service. In most cases, the support team can manually trigger a "verified" status or override the automated check. This ensures your CRM is fully functional without compromising your domain's security.
The complexity of modern email stacks makes manual SPF management a liability. Between the 10-lookup limit and the alignment requirements of DMARC, IT teams need a solution that is both dynamic and reliable. Deploying an enterprise CRM shouldn't put your day-to-day corporate email at risk. Once your includes are consolidated, the transition to AutoSPF takes less than 60 seconds. You can start a 30-day trial at https://autospf.com/ to flatten your record immediately and secure your deliverability across all your platforms.