Summary
The consensus from experts and marketers is that each (sub)domain requires its own SPF record if it sends email. While only one SPF TXT record is permitted per domain, you can authorize multiple sending sources using mechanisms like 'include:'. Subdomains sending emails through different mail servers, ESPs, or with different sending policies than the primary domain necessitate separate SPF records. If a subdomain solely receives emails, an SPF record is not strictly needed but is recommended as a security measure against misuse. When configuring SPF records, be mindful of the limit on 'include:' mechanisms and specific platform requirements, like prioritizing DKIM for Mailchimp. If corporate email is hosted with Gmail, use '@ include:google' on the main domain's record.
Key findings
- Independent Sending Requires SPF: If a subdomain sends email independently of the main domain, it needs a separate SPF record.
- Different Servers, Different SPF: Subdomains using different mail servers or ESPs need their own SPF records.
- One SPF Record Rule: Each (sub)domain can only have one SPF TXT record.
- SPF Not Always Needed: If a subdomain only receives email, an SPF record isn't required.
- Prevent Misuse with SPF: Implementing a restrictive SPF record can prevent abuse on subdomains that don't send emails.
- Multiple Sources via Include: Multiple sending sources can be authorized within a single SPF record using 'include:' and other mechanisms.
- Mailchimp and DKIM: For Mailchimp, DKIM is often recommended over SPF.
Key considerations
- Identify Sending Sources: Accurately identify all authorized sending sources for each domain and subdomain.
- Combine records: Combine all sending sources into a single SPF record using include mechanics, for each domain.
- Evaluate Sending Policies: Check if subdomains have differing sending policies or requirements.
- SPF record for protection: Implement SPF record even if the subdomain is not in use for sending any mail, as a security measure.
- SPF limitations: Be aware of the limitations of SPF such as how many lookups can be performed.
- Corporate Hosting Setup: Use '@ include:google' at the main domain level for Gmail-hosted corporate email.
- Monitor Subdomain Activity: Keep track of which subdomains send mail and update SPF records accordingly.
What email marketers say
9 marketer opinions
Separate SPF records for subdomains are needed when those subdomains send email independently from the main domain, especially if they use different mail servers or sending policies. A single SPF record is required per (sub)domain, and it must include all authorized sending sources. If a subdomain doesn't send email, an SPF record is generally not required, but one can be set up to prevent potential misuse. It's important to be aware of the limitations on the number of 'include' mechanisms within an SPF record.
Key opinions
- Independent Sending: Subdomains sending independently require separate SPF records.
- Different Servers: Different mail servers or sending policies necessitate separate SPF records.
- One SPF Record: Each (sub)domain can only have one SPF record.
- No Sending, No SPF: If a subdomain doesn't send mail, an SPF record isn't strictly required but is recommended as a security measure.
- Include Limits: Be aware of the limits on the number of 'include' mechanisms.
Key considerations
- Sending Source: Identify all email sending sources for each (sub)domain.
- Combine Records: Combine sending sources into a single SPF record for each domain.
- Security: Even if a subdomain doesn't send email, consider adding a restrictive SPF record.
- Policy Differences: Determine if subdomains have different email sending policies.
- DMARC Considerations: Ensure SPF alignment is correctly configured if using DMARC.
Marketer view
Email marketer from Mailjet explains that subdomains may require separate SPF records if they send email independently from the main domain. This is especially important if different servers or services are used to send emails from the subdomain.
2 Mar 2025 - Mailjet
Marketer view
Email marketer from Stack Overflow mentions that each subdomain requires it's own SPF record if the IP's it sends mail from is different from the main domain.
4 Mar 2022 - Stack Overflow
What the experts say
4 expert opinions
Separate SPF records are needed for subdomains when they operate mail servers different from the main domain. Each domain or subdomain that sends mail should have its own SPF record. If a subdomain doesn't send mail, it may not need an SPF record, but creating a restrictive one can prevent abuse. Some platforms might allow setting an envelope domain, requiring an SPF record for the subdomain. For services like Mailchimp, SPF might not be necessary, and setting up a branded DKIM is recommended.
Key opinions
- Different Mail Servers: Separate SPF records are needed for subdomains using different mail servers.
- Each Sending Domain Needs SPF: Each domain or subdomain that sends mail needs an SPF record.
- Non-Sending Subdomains: Subdomains that don't send mail may not need an SPF record.
- Envelope Domain: Some platforms let you set an envelope domain, requiring SPF for the subdomain.
- Mailchimp Recommendation: For Mailchimp, branded DKIM is recommended over SPF.
Key considerations
- Corporate Email Hosting: If corporate email is hosted on Gmail, use '@ include:google' at the main domain.
- Restrictive SPF: Consider a restrictive SPF record for subdomains that don't send mail to prevent abuse.
- Platform-Specific Needs: Understand the specific SPF/DKIM needs of your email sending platforms.
- Monitor Sending Practices: Track which subdomains are actively sending emails.
Expert view
Expert from Email Geeks explains that some ESPs/mail platforms allow a sender to set their own Envelope domain which then requires an SPF record for the subdomain. Last he checked Mailchimp sets the sender from as one of their domains so SPF is likely not needed anyway and to just setup a branded DKIM.
13 Sep 2021 - Email Geeks
Expert view
Expert from Email Geeks explains each domain/subdomain needs its own SPF record. He also states that if corporate email is hosted at gmail then you likely need "@ include:google" instead of at the subdomain level.
17 Apr 2025 - Email Geeks
What the documentation says
6 technical articles
Documentation generally agrees that each (sub)domain needs its own SPF record if it sends email. While a domain can only have one SPF record, multiple sending sources can be authorized using mechanisms like 'include:'. Subdomains that send bulk emails often require their own SPF record. If a subdomain only receives email, it doesn't need an SPF record, though configuring one to prevent misuse is advised.
Key findings
- One SPF Record Per Domain: Each domain/subdomain can have only one SPF TXT record.
- Authorize Multiple Sources: Multiple sending sources can be authorized using 'include:' and other mechanisms.
- Bulk Email From Subdomains: Subdomains sending bulk emails typically need a separate SPF record.
- Receiving Only: If a subdomain only receives email, an SPF record is not strictly required.
- Prevent Misuse: Configuring an SPF record for non-sending subdomains can prevent potential misuse.
- Independent Sending: Subdomains sending independently require separate SPF records.
Key considerations
- Identify Sending Sources: Determine all authorized sending sources for each domain/subdomain.
- Record Configuration: Configure SPF records to accurately reflect authorized sending sources.
- Bulk Email Practices: Consider SPF needs when sending bulk emails from subdomains.
- Security Posture: Weigh the benefits of setting up a restrictive SPF record for non-sending subdomains.
- Review Existing SPF: Review the RFC standard for specifics
Technical article
Documentation from RFC 7208, which defines the SPF standard, states that each domain name can have only one SPF record and explains the mechanisms (like `include`, `a`, `mx`, `ip4`, `ip6`) for specifying authorized sending sources. It implicitly suggests separate records for subdomains if policies differ.
22 Apr 2025 - RFC Editor
Technical article
Documentation from DMARC Analyzer explains if the subdomain is only being used for receiving emails, it does not need an SPF record.
2 Nov 2021 - DMARC Analyzer
Can DKIM be set up on a subdomain, and which domain should be used for signing?
Do I need to set up DMARC for subdomains?
Do subdomains need their own DMARC records if the main domain has one?
How do DMARC policies and RUA/RUF settings inherit or override each other between a domain and its subdomains?
How do DMARC records on subdomains override root domain DMARC policies?
How do I set up DMARC records for subdomains?
