How do I set up SPF and DKIM records for new subdomains when using third-party email services?

Key findings

• Provider assistance: Third-party email service providers (ESPs) typically furnish the necessary SPF and DKIM records or instructions for their configuration.
• DNS management: You are responsible for adding these records to your domain's DNS (Domain Name System) settings, usually via your web host or DNS provider.
• Subdomain specific records: Each subdomain used for sending emails should ideally have its own SPF record and DKIM keys to ensure proper authentication, separate from your primary domain's records. You can learn more about this in our guide on whether a subdomain needs its own SPF record.
• Shared infrastructure: Some third-party providers use shared infrastructure and may authenticate emails using their own SPF and DKIM, even if you haven't set up your own records yet.
• Validation process: After adding the DNS records, you typically need to validate them within the third-party service's interface to confirm they are correctly configured.

Key considerations

• Mail From domain: Be aware that some providers may not use your domain in the 'MAIL FROM' (or envelope From) address, which is where SPF is most relevant. In such cases, they might not require or provide an SPF record for your domain.
• Own authentication importance: Even if a provider authenticates on your behalf, it's highly recommended to set up your own SPF and DKIM for your sending domains and subdomains. This strengthens your brand's legitimacy and improves deliverability, as highlighted by University of Pennsylvania's ISC documentation.
• DKIM vs SPF for subdomains: While SPF typically applies to the MAIL FROM domain, DKIM signs the email with a cryptographic key associated with your domain (or subdomain). Consider if your provider allows you to set up DKIM for your specific subdomain, as discussed in our article about DKIM setup on a subdomain.
• Consult provider documentation: Always refer to the specific third-party email service's documentation for precise instructions, as the exact process and record formats can vary.

Key opinions

• Provider-generated records: Marketers frequently express that third-party email providers should supply the specific SPF and DKIM records required for authentication.
• Simple process: Many describe the setup as a straightforward three-step process: receiving records from the ESP, adding them to your DNS, and then validating them back in the ESP's platform.
• Authentication check: A common first step for marketers troubleshooting issues is to send a test email and check the headers to see if SPF and DKIM are passing, even before adding records manually, as detailed by Inbox Collective's guide.
• Importance of validation: The validation step within the ESP is critical to confirm the records are correctly recognized and active.

Key considerations

• Subdomain SPF specificity: Marketers should be aware that each subdomain typically requires its own SPF record, separate from the primary domain, for distinct email sending purposes. For complex setups, refer to our troubleshooting guide on SPF authentication issues.
• Multiple ESPs: When using multiple third-party services, marketers need to ensure all include mechanisms are properly aggregated into a single SPF record per domain/subdomain to avoid the 10 DNS lookup limit.
• Custom DKIM: Even if a provider uses its own DKIM signing, marketers should inquire if setting up a custom DKIM for their domain (or subdomain) is recommended for stronger authentication and brand alignment.
• Understanding mail flow: It's important for marketers to understand which domain is being used in the 'MAIL FROM' address, as this directly impacts SPF alignment and authentication outcomes.

Key opinions

• MAIL FROM domain matters: Experts stress the importance of understanding whether the third-party provider uses your domain in the 'MAIL FROM' (envelope sender) address, as this dictates the relevance of your SPF record.
• Double DKIM signing: Many providers will perform double DKIM signing, using their own domain for authentication alongside the customer's domain if configured.
• Shared infrastructure considerations: Providers using extensive shared infrastructure might not strictly require customers to set up their own DKIM, as their own signing covers the authentication.
• Proactive authentication: Even with default provider authentication, experts advise setting up your own authentication records (SPF, DKIM, and DMARC) for better long-term deliverability and brand control.

Key considerations

• Alignment implications: If a provider uses their own domain for the MAIL FROM, your SPF record for your domain might not align with the sending domain, potentially impacting DMARC results. Our guide on DMARC, SPF, and DKIM provides further insight.
• Custom DKIM benefits: Setting up custom DKIM for your subdomains provides stronger cryptographic proof that the email originates from your organization, enhancing trust with recipients and inbox providers.
• Subdomain best practices: Experts recommend using dedicated subdomains for different email streams (e.g., transactional, marketing) and properly authenticating each one to isolate reputation. You can read more about subdomain usage for email deliverability.
• Vendor communication: It's essential to directly ask your third-party providers about their specific recommendations for SPF and DKIM setup, especially regarding whether they suggest using your own authentication keys.

Key findings

• DNS record types: SPF records are typically configured as TXT records, while DKIM records can be TXT or CNAME records, depending on the provider's instructions.
• Subdomain independence: Documentation often advises creating separate SPF records for each subdomain and potentially a main SPF record for the primary domain to cover all sending sources, as noted by AutoSPF.
• Provider-specific keys: DKIM keys are unique to each sending service and must be obtained directly from that third-party platform.
• DMARC integration: Many documents highlight that SPF and DKIM are foundational for DMARC, a policy that tells receiving servers how to handle emails that fail authentication.

Key considerations

• DNS propagation time: Documentation frequently reminds users that DNS changes, including new SPF and DKIM records, can take time to propagate across the internet, typically a few hours but sometimes up to 48 hours.
• Lookup limits: SPF records have a 10 DNS lookup limit, which requires careful management when including multiple third-party services, as exceeding this can lead to authentication failures. Our guide on SPF DNS timeout issues provides more detail.
• Monitoring and troubleshooting: It is advised to monitor email deliverability and regularly check authentication status using tools like DMARC reports to identify and fix any SPF or DKIM issues, as discussed by UNC's knowledge base.
• Record specificity: Ensure that the SPF and DKIM records are accurately copied from the third-party provider and placed in the correct location for the specific subdomain being used, not the primary domain if it's not the sending domain.