Yes, in most cases, your SPF record absolutely needs to be at your root domain. When you send an email from an address like you@yourdomain.com, the receiving mail server performs a check by looking for an SPF record specifically on yourdomain.com. If it's not there, the check will fail.
This is a fundamental part of how Sender Policy Framework (SPF) works. It's a DNS-based system, meaning the location of the record is just as important as its content. The goal is to create a public record that explicitly states which mail servers are permitted to send email on behalf of your domain. As E-N Computers puts it, "You'll need to create a TXT DNS record for the root of your domain."
The critical exception: subdomains
The main exception to this rule involves subdomains. If you send emails from a subdomain, for example alerts@marketing.yourdomain.com, then the SPF record must be published on that specific subdomain, marketing.yourdomain.com. An SPF record on the root domain will not cover it.
This is a feature, not a bug. It allows you to have different sending policies and authorized IP addresses for different parts of your business, such as separating your marketing email infrastructure from your transactional email infrastructure. Each can have its own tailored SPF record on its respective subdomain, without interfering with the other or the root domain.
How to correctly publish an SPF record
An SPF record is published as a TXT record in your DNS settings. When you create this record, you have to specify a "Host" or "Name". To apply the record to your root domain, DNS providers commonly use an @ symbol or require you to leave the field blank. For a subdomain, you would enter the subdomain itself (e.g., marketing).
Crucially, a domain or subdomain can only have one SPF record. According to the official standard, multiple SPF records for the same domain are not allowed. If you have more than one, it will cause a permanent error during the SPF check, and your authentication will fail. If you need to authorize multiple email services, you must merge them into a single record using mechanisms like include:.
Key takeaways on SPF record placement
Getting the location of your SPF record right is non-negotiable for email authentication. Here is a summary of the most important points:
- Root domain sending: If you send from user@yourdomain.com, the SPF record must be on yourdomain.com.
- Subdomain sending: If you send from user@news.yourdomain.com, the SPF record must be on news.yourdomain.com.
- No inheritance: SPF policies are not passed down from a root domain to its subdomains.
- One record rule: You can only have a single SPF TXT record for any given domain or subdomain.
In short, where you place your SPF record is determined entirely by the domain you use in the "from" address of your emails. Get that right, and you are one step closer to ensuring your emails are trusted and delivered.
