Summary
Configuring SPF for subdomains with a different 'from' domain requires a multi-faceted approach. Each subdomain needs its own SPF record that explicitly authorizes mail servers sending on its behalf. The 'include:' mechanism is crucial for referencing the 'from' domain's SPF record and authorizing its servers. Ensuring proper SPF alignment with DMARC policies is essential, especially under strict DMARC settings. The Envelope From address, used for SPF checks, must also be correctly set. Regular monitoring, updates, and validation of SPF records are key to maintaining optimal email deliverability and preventing spoofing.
Key findings
- SPF Required per Subdomain: An SPF record is required for each subdomain.
- Importance of 'include:': The 'include:' mechanism is vital for authorizing the 'from' domain's mail servers within the subdomain's SPF record.
- DMARC Alignment is Critical: Proper SPF alignment with DMARC policies is crucial for email deliverability.
- Envelope From Matters: The Envelope From address plays a key role in SPF checks.
Key considerations
- DMARC Enforcement: Be aware of DMARC policies, particularly strict settings (p=reject), and their impact on email delivery based on SPF alignment.
- SPF Syntax: Ensure SPF record syntax is correct to prevent errors.
- SPF Testing: Test SPF configuration to validate setup and detect deliverability problems.
- Regular Maintenance: Regularly monitor and update SPF records to reflect changes in sending sources or domains.
What email marketers say
11 marketer opinions
When sending emails from a subdomain with a 'from' address using a different domain, configuring SPF involves creating an SPF record for the subdomain that authorizes the servers used by the 'from' domain. This is commonly achieved using the 'include:' mechanism in the subdomain's SPF record, which references the 'from' domain's SPF record. It's important to also ensure SPF alignment is properly configured, particularly within DMARC settings, to avoid deliverability issues. Monitoring and updating SPF records is essential for maintaining optimal email deliverability.
Key opinions
- SPF Record Required: Each subdomain must have its own SPF record.
- Include Mechanism: Use the 'include:' mechanism in the subdomain's SPF record to authorize the 'from' domain's mail servers.
- DMARC Alignment: Ensure SPF alignment is configured correctly within DMARC policies to prevent deliverability issues, particularly with strict DMARC policies.
- Dedicated SPF: Create specific SPF records for each subdomain, including the IP addresses of authorized servers.
Key considerations
- SPF Syntax: Ensure proper SPF syntax to avoid errors. Use tools to validate your SPF records.
- DMARC Settings: Review DMARC settings to ensure they align with your SPF configuration, particularly 'aspf=s' which enforces strict alignment.
- Monitoring: Regularly monitor SPF records and DMARC reports to identify and address any deliverability issues.
- Authorization: Confirm mail servers are properly authorized to prevent deliverability issues.
Marketer view
Email marketer from EasyDMARC recommends creating specific SPF records for each subdomain, including the IP addresses of the servers authorized to send email from that subdomain. If the subdomain is only used for sending emails, its SPF record should authorize those specific servers; if it interacts with other domains, additional 'include:' statements may be needed to incorporate their SPF records.
1 Jun 2023 - EasyDMARC
Marketer view
Email marketer from Mailjet suggests that the SPF record for the subdomain should include the IP addresses or domain names of the servers that are sending the email. If the 'from' domain's mail server is different, you can use the 'include:' mechanism in your SPF record to reference the 'from' domain's SPF record.
13 Oct 2022 - Mailjet
What the experts say
4 expert opinions
Configuring SPF for subdomains when the 'from' address uses a different domain requires specific attention to SPF records and DMARC alignment. An SPF record is necessary for each subdomain, and it should authorize the 'from' domain's mail servers, typically using the 'include:' mechanism. The Envelope From address is the SPF domain. Additionally, ensuring correct SPF alignment within DMARC policies, especially with strict policies, is crucial for preventing deliverability problems.
Key opinions
- SPF Required per Subdomain: SPF is required for each subdomain.
- Envelope From Importance: The Envelope From address dictates the SPF domain, making correct SPF setup essential.
- Include Mechanism for Authorization: Utilizing the 'include:' mechanism in the subdomain's SPF record authorizes the 'from' domain's mail servers.
- DMARC Alignment Critical: Proper SPF alignment within DMARC policies is crucial for avoiding deliverability issues.
Key considerations
- DKIM Configuration: While SPF is required per subdomain, DKIM can be configured with either a shared domain or a key for each subdomain.
- DMARC Policy: The DMARC policy, especially if set to strict (p=reject), significantly impacts deliverability based on SPF alignment.
- Subdomain Scope: DMARC/BIMI cascade to all subdomains from the organization domain level
- SPF Record Updates: Regularly review and update SPF records to reflect any changes in sending sources or domains.
Expert view
Expert from Email Geeks explains that SPF is required for each subdomain, while DKIM can use a shared domain or a key for each subdomain. He also mentions that DMARC/BIMI cascade to all subdomains from the organization domain level.
1 Nov 2021 - Email Geeks
Expert view
Expert from Word to the Wise suggests that, in addition to configuring the SPF records themselves, ensure SPF alignment within DMARC policies is correct. If your DMARC policy is set to 'strict,' and your subdomain's SPF record doesn't align perfectly with the 'from' domain, you may encounter deliverability issues.
3 Dec 2024 - Word to the Wise
What the documentation says
4 technical articles
When sending email from a subdomain, each subdomain requires its own SPF record. This SPF record must explicitly authorize all mail servers permitted to send emails on behalf of the subdomain. Properly configuring these records is crucial for preventing spoofing, improving email deliverability, and ensuring alignment with DMARC policies, which require consistency between the 'HELO' or 'MAIL FROM' domain and the 'From:' header.
Key findings
- SPF Per Subdomain: Each subdomain needs its own SPF record.
- Explicit Authorization: The SPF record must explicitly list authorized mail servers.
- Spoofing Prevention: Proper SPF configuration prevents email spoofing.
- DMARC Alignment: SPF must align with DMARC policies, verifying domain consistency.
Key considerations
- Record Accuracy: Ensure SPF records accurately reflect all authorized sending sources.
- Regular Updates: Regularly update SPF records to accommodate changes in mail server configurations.
- Syntax Validation: Validate SPF record syntax to prevent errors that could impact deliverability.
- Impact of DMARC: Understand how DMARC policies affect SPF validation and overall email authentication.
Technical article
Documentation from Cloudflare explains that an SPF record should be created that explicitly states which IP addresses or hostnames are permitted to send emails on behalf of your domain or subdomain. Properly configuring this record will help prevent spoofing and improve email deliverability.
29 Aug 2023 - Cloudflare
Technical article
Documentation from Google Workspace Admin Help explains that when sending email from a subdomain, the SPF record must be set up for that specific subdomain. The SPF record should authorize the mail servers that are allowed to send email on behalf of the subdomain.
7 Jun 2023 - Google Workspace Admin Help
Are SPF, DKIM, and DMARC records necessary for transactional email servers not used for marketing?
How can I resolve DMARC verification failures when using a subdomain for email sending?
How do I properly set up SPF and DKIM records for email marketing, including handling multiple SPF records, IP ranges, bounce capturing, and Google Postmaster Tools verification?
How do SPF records and DKIM keys work with multiple email services like Klaviyo and Shopify?
How to configure SPF, DKIM, and DMARC when sending marketing emails from a subdomain but signing with the primary domain?
What are SPF, DKIM, and DMARC, and when are they needed?
