Does each new subdomain require its own SPF and DKIM records?

Yes, each subdomain that sends email needs its own SPF record and DKIM setup. This is because email authentication checks are performed against the specific domain (or subdomain) from which the email appears to originate. You can learn more about SPF records and subdomains .

Who generates the SPF and DKIM records for my subdomains?

Your third-party email service provider (ESP) should generate these records for you. They will provide the specific hostnames and values you need to input into your DNS settings. After adding them, most ESPs offer a validation tool to confirm the records are correctly configured and propagated.

Where do I add these SPF and DKIM records?

You will add these records through your domain registrar (e.g., GoDaddy, Namecheap) or your DNS hosting provider's control panel. Look for a section related to DNS management, advanced DNS settings, or similar, where you can add new TXT and CNAME records.

Is it still necessary to set up my own SPF and DKIM if the third-party service passes authentication on its own?

Yes, even if a third-party service authenticates with its own domain, setting up your own SPF and DKIM for your subdomain is highly recommended. This allows for DMARC alignment, which is crucial for maximizing deliverability and protecting your brand. It also ensures your emails build a reputation tied to your specific subdomain rather than a shared IP reputation.

How long does it take for SPF and DKIM records to propagate?

Propagation time varies but typically ranges from a few minutes to several hours, and in some cases, up to 48 hours. After adding the records, use your ESP's validation tool or a public DNS checker to confirm they are live.

How do I set up SPF and DKIM records for new subdomains when using third-party email services? - Technical - Email deliverability - Knowledge base

Setting up email authentication records like SPF (Sender Policy Framework) and DKIM (DomainKeys Identified Mail) for new subdomains, especially when using third-party email services, can feel complex. Many organizations leverage subdomains for specific email streams, such as marketing campaigns, transactional alerts, or customer service communications, often handled by specialized email service providers (ESPs).

The good news is that the process is generally straightforward once you understand the roles of your domain registrar, your DNS hosting provider, and the third-party email service. The goal is to ensure that emails sent from your subdomains are properly authenticated, which helps improve deliverability and protect your domain's reputation from spoofing and phishing attempts.

Suped DMARC monitoring

Free forever, no credit card required

Learn more

Trusted by teams securing millions of inboxes

Why use subdomains for third-party email services?

When you decide to use a subdomain for email sending, such as rewards.yourdomain.com or surveys.yourdomain.com, and delegate the sending to a third-party service, you are essentially granting that service permission to send emails on your behalf. For this to work reliably and securely, you need to tell receiving mail servers that these third parties are authorized senders. This is where SPF and DKIM come in.

A key reason for using subdomains is to isolate the reputation of your various email sending activities. For example, if your marketing emails from marketing.yourdomain.com encounter deliverability issues (e.g., land in spam folders), it won't directly affect the reputation of your critical transactional emails sent from transactional.yourdomain.com. This segregation helps maintain consistent inbox placement for your most important communications.

It's also common for third-party services to require specific DNS records for authentication. These services generate the necessary SPF and DKIM records tailored for your subdomain and their infrastructure. Your role is primarily to add these records to your domain's DNS settings, typically through your domain registrar or DNS host.

Understanding SPF and DKIM for subdomains

SPF (Sender Policy Framework) is a DNS TXT record that specifies which mail servers are authorized to send email on behalf of your domain. When a receiving mail server gets an email from your domain, it checks your SPF record to verify if the sending server's IP address is listed as an authorized sender. If it's not, the email might be flagged as spam or rejected. For a subdomain, you'll create an SPF record specifically for that subdomain.

DKIM (DomainKeys Identified Mail) adds a digital signature to your outgoing emails, allowing receiving mail servers to verify that the email hasn't been tampered with in transit and that it genuinely originates from your domain. DKIM involves two keys, a private key used by the sending server to sign emails, and a public key published in your domain's DNS records, usually as a CNAME record that points to the third-party service's key.

For subdomains, DKIM setup often involves creating a CNAME record with a specific selector (e.g., s1._domainkey.rewards.yourdomain.com) that points to the DKIM record hosted by your third-party email service. This allows them to handle the signing process, while still authenticating the email as coming from your subdomain. Understanding how DKIM functions with subdomains is crucial for proper email authentication.

Even if an email passes SPF or DKIM because the third-party service uses its own domain for authentication, it is always a best practice to set up your own SPF and DKIM for your subdomain. This ensures alignment with your organizational domain, which is vital for DMARC (Domain-based Message Authentication, Reporting, and Conformance). You can learn more about where these important email authentication records should be placed.

Steps for setting up SPF and DKIM

The first step is to contact your third-party email service provider and request the specific SPF and DKIM records you need to add to your DNS. They will typically provide these in the form of TXT records for SPF and CNAME records for DKIM, along with specific hostnames (or names) and values.

Retrieve records: Ask your third-party email service for the exact SPF (TXT) and DKIM (CNAME or TXT) records to add to your DNS.
Access DNS settings: Log in to your domain registrar or DNS hosting provider's control panel. This is where your domain's DNS records are managed.
Add SPF record: Create a new TXT record for your subdomain. The Name/Host field will be your subdomain (e.g., rewards) and the Value/Text field will be the SPF string provided by your email service.
Add DKIM record: Create a new CNAME record for your subdomain. The Name/Host will be the DKIM selector (e.g., s1._domainkey.rewards) and the Value/Target will be the host provided by your email service. Microsoft Learn offers detailed guidance on configuring DKIM.
Validate: Most email services provide a way to validate that your DNS records have been correctly added and propagated. Always use this feature to confirm your setup.

Here’s a simplified example of what these records might look like, though the exact values will come from your third-party provider:

Example SPF record for a subdomainDNS

Type: TXT
Name/Host: rewards.yourdomain.com
Value/Text: v=spf1 include:spf.thirdparty.com ~all

Example DKIM record for a subdomainDNS

Type: CNAME
Name/Host: s1._domainkey.rewards.yourdomain.com
Value/Target: dkim.thirdparty.com

Common challenges and best practices

A common challenge is the SPF 10-lookup limit. Each include or a mechanism in your SPF record counts as a DNS lookup. Exceeding this limit can cause SPF to fail, impacting your email deliverability. For subdomains, this is usually less of an issue because their SPF records are often simpler, dedicated to just one or two services. However, if you are planning to use multiple services for a single domain, careful management is required.

Another point of confusion can arise if your third-party service already passes SPF or DKIM for your emails by using their own domains. While this might get your emails delivered, it doesn't align with your organizational domain, which is crucial for DMARC policies. Setting up your own authentication for subdomains is always recommended for full control and better domain reputation. This also prevents potential issues related to domain blocklisting.

Third-party authentication only

When a third-party service authenticates emails with their own domain's SPF and DKIM records, even if your From: address shows your subdomain.

Pros: Easier setup, as you might not need to add DNS records yourself.
Cons: No DMARC alignment, which means DMARC policy (even if set) will likely fail, and emails may be marked as spam or rejected by stricter receivers. Less control over your domain's sending reputation.

Your own subdomain authentication

You explicitly add SPF and DKIM records for your subdomain, pointing to the third-party service.

Pros: Enables DMARC alignment, providing robust protection against spoofing. You build reputation on your subdomain, improving deliverability. Full control over your email authentication. Essential for compliance with Google's and Yahoo's new sender requirements.
Cons: Requires careful management of DNS records.

Final thoughts on email authentication

Setting up SPF and DKIM for new subdomains with third-party email services is a critical step towards achieving excellent email deliverability and protecting your brand. While the initial setup might seem daunting, breaking it down into steps simplifies the process. Always prioritize obtaining the exact records from your email service provider and meticulously adding them to your DNS.

Remember, proactive email authentication protects your domain from unauthorized use and ensures your messages reach your recipients' inboxes, not their spam folders. If you're looking for a simple guide to DMARC, SPF, and DKIM, you can find more information in our knowledge base.

Views from the trenches

Best practices

Always obtain the exact SPF and DKIM records directly from your third-party email service provider.

Ensure that each subdomain has its own specific SPF and DKIM records, rather than relying on your main domain's records.

Verify the correct DNS record propagation using your ESP's validation tools or public DNS lookup tools.

Common pitfalls

Overlooking the SPF 10-lookup limit when consolidating multiple SPF 'include' mechanisms.

Assuming third-party services automatically handle full domain authentication for your specific subdomain.

Not validating DNS changes after adding or updating SPF and DKIM records.

Expert tips

For large organizations, consider using automated DNS management solutions to simplify record updates across many subdomains.

Regularly monitor DMARC reports to identify any authentication issues or unauthorized senders using your subdomains.

Communicate clearly with your third-party vendors about your specific authentication requirements and expectations.

Expert view

Expert from Email Geeks says that third-party ESPs typically provide an 'include' statement for your SPF record, which you then add to your domain's DNS settings, and DKIM setup is similar but often uses a CNAME record.

2023-04-19 - Email Geeks

Expert view

Expert from Email Geeks says that email service providers should always give you the necessary SPF and DKIM records, and your role is to add them to your web host and then validate them within the service.

2023-04-19 - Email Geeks