Summary
Setting up SPF and DKIM for new subdomains with third-party email services involves several key steps. First, obtain the SPF and DKIM records from your email service provider, as they should not be self-generated. These records are added as DNS records, typically TXT, to your subdomain's DNS settings. SPF records authorize specific mail servers to send emails on behalf of your domain and should include the 'v=spf1' version tag, mechanisms such as 'include:' for third-party services, and a qualifier like '-all'. DKIM records contain a public key for verifying email authenticity, and the DKIM record name needs to match the selector provided. For SPF, be mindful of the 10 DNS lookup limit and consolidate records. It’s also essential to use a unique DKIM key for each subdomain and align SPF/DKIM with the domain in the 'From' header for DMARC validation. Furthermore, verify the setup using the provider's validation tools.
Key findings
- Obtain Records from Provider: SPF and DKIM records should be obtained directly from the third-party email service provider.
- DNS Record Type and Location: SPF and DKIM records are typically added as TXT records to the subdomain's DNS settings; DKIM may use CNAME.
- SPF Record Structure: SPF records include 'v=spf1', authorized sending mechanisms (e.g., 'include:'), and a qualifier (e.g., '-all').
- DKIM Record Function: DKIM records verify email authenticity with a public key.
- SPF Record Importance: SPF authorizes specific mail servers to send emails on behalf of your domain.
- DKIM Key Generation: You should generate a new DKIM key for each subdomain.
- DMARC Alignment Necessity: SPF and DKIM records need to align with the domain in the 'From' header for DMARC validation when sending emails.
Key considerations
- SPF DNS Lookup Limit: Be mindful of the SPF 10 DNS lookup limit, especially when using multiple includes.
- Validation Procedures: Verify the setup of SPF and DKIM records using the tools provided by the email service.
- Provider Signing: Many providers initially sign emails using their own domains, make sure you setup your own authentication.
What email marketers say
12 marketer opinions
When configuring SPF and DKIM for new subdomains with third-party email services, it's crucial to obtain the necessary records directly from the service providers. These records are then added as DNS records (typically TXT records, but DKIM may use CNAME) to the subdomain's DNS zone, not necessarily the parent domain. Ensure SPF records include all authorized senders using the 'include:' mechanism, but be mindful of the 10 DNS lookup limit. SPF's relevance depends on whether the provider uses your domain in the MAIL FROM domain; if not, an SPF record may not be provided. DKIM keys might be shared by the provider, so inquire about using your own. Always validate the setup using tools from the provider. SPF serves to authorize sending sources, preventing spoofing, and DKIM records require a selector name. It is also key to ensure DMARC alignment of the SPF/DKIM when sending using subdomains.
Key opinions
- Provider Records: Third-party email services should supply the necessary SPF and DKIM records.
- DNS Record Type: SPF records are generally added as TXT records, while DKIM may use TXT or CNAME records.
- SPF Relevance: SPF is only relevant if the provider uses your domain in the MAIL FROM domain.
- DKIM Key Ownership: Inquire about using your own DKIM key instead of a shared key from the provider.
- Validation: Always validate the SPF and DKIM setup using the provider's tools.
- SPF Purpose: SPF authorizes sending sources to prevent spoofing.
- DKIM Selector: The DKIM record requires a specific selector name from the email service provider.
Key considerations
- DNS Lookup Limit: Ensure your SPF record does not exceed the 10 DNS lookup limit when including multiple services.
- Subdomain vs Domain: Publish the DKIM record to the subdomain's DNS zone, not the parent domain.
- DMARC Alignment: SPF and DKIM records need to align with the domain in the 'From' header for DMARC validation
Marketer view
Email marketer from Sendgrid answers that DNS records should be added at the domain/subdomain name servers or hosting provider.
7 Apr 2023 - Sendgrid
Marketer view
Email marketer from MXToolbox explains that the DKIM record goes into your DNS as a TXT record under a specific selector name provided by your email service. Verify the selector with the email service provider.
26 Jan 2025 - MXToolbox
What the experts say
6 expert opinions
Setting up SPF and DKIM for subdomains involves adding the ESP's SPF record to the sending domain's TXT record, while DKIM setup is similar but might use a CNAME record. Many providers sign emails with their domains initially, so setting up your own authentication is important. SPF has a 10 DNS lookup limit. Generate a new DKIM key for each subdomain to avoid reputation issues. SPF or DKIM must align with the domain in the 'From' header for DMARC validation when using subdomains.
Key opinions
- SPF Example: SPF records include the ESP's SPF record in the sending domain's TXT record.
- DKIM Record Type: DKIM setup may involve a CNAME record.
- Authentication Importance: Setting up your own authentication is important, even if providers initially sign emails.
- DKIM Key Uniqueness: Generate a new DKIM key for each subdomain.
- DMARC Alignment: SPF/DKIM must align with the domain in the 'From' header for DMARC validation.
Key considerations
- SPF Lookup Limit: SPF has a 10 DNS lookup limit that can be broken using too many includes.
Expert view
Expert from Spam Resource, John Levine, explains that SPF has a 10 DNS lookup limit. When setting up SPF records, especially with multiple third-party senders, it's important to ensure your SPF record doesn't exceed this limit. Using too many includes can break SPF.
26 Aug 2022 - Spam Resource
Expert view
Expert from Email Geeks mentions DKIM setup is similar to SPF, but may involve a CNAME record.
22 Oct 2021 - Email Geeks
What the documentation says
5 technical articles
Setting up SPF and DKIM records for new subdomains using third-party email services involves creating TXT records in your DNS settings. The SPF record authorizes specific mail servers to send emails on behalf of your domain and should include the 'v=spf1' version tag, mechanisms to define authorized sources (e.g., 'include:' for third-party services), and a qualifier to handle unauthorized sources (e.g., '-all'). The DKIM record contains a public key for verifying email authenticity. For outbound email, the SPF record should be created at the domain level.
Key findings
- Record Type: SPF and DKIM records are typically created as TXT records in your DNS settings.
- SPF Syntax: SPF records should include 'v=spf1', authorized sending mechanisms (e.g., 'include:'), and a qualifier (e.g., '-all').
- SPF Purpose: SPF authorizes specific mail servers to send emails on behalf of your domain.
- DKIM Function: DKIM records contain a public key to verify email authenticity and prevent tampering.
- Include Mechanism: The 'include:' mechanism is used to reference third-party email services in the SPF record.
Key considerations
Technical article
Documentation from RFC 7208 shares that SPF records should conform to the defined syntax that include version, mechanisms and qualifiers. It details each mechanism for specifying authorized IPs and domains, as well as the recommended usage.
29 Jul 2022 - RFC Editor
Technical article
Documentation from Mailchimp explains that SPF records should be created as TXT records in your domain's DNS settings. The record must start with 'v=spf1' and include mechanisms to specify which mail servers are authorized to send emails for your domain. Common mechanisms are 'include:' for third-party services and 'ip4:' or 'ip6:' for specific IP addresses. Terminate the record with a qualifier like '-all' to indicate a hard fail for unauthorized sources.
18 Jan 2023 - Mailchimp
Are SPF, DKIM, and DMARC records necessary for transactional email servers not used for marketing?
Can DKIM be set up on a subdomain, and which domain should be used for signing?
Do I need to set up DMARC for subdomains?
Do subdomains need their own DMARC records if the main domain has one?
How can I optimize my SPF record to stay within the lookup limit when using multiple email sending services?
How do I properly set up SPF and DKIM records for email marketing, including handling multiple SPF records, IP ranges, bounce capturing, and Google Postmaster Tools verification?
How do I set up DKIM on G Suite for outgoing mail, especially when using multiple email services?
How do I set up DMARC records for subdomains?
How do I setup a subdomain for email sending with Klaviyo?
