Does a subdomain need its own SPF record if I'm sending from it?

Yes, each subdomain you use for sending emails needs its own SPF record. SPF checks the Return-Path (or Envelope From) domain, which is typically the subdomain when sending from one. Therefore, the SPF record must be configured specifically for that subdomain to authorize your sending servers. You can learn more about this in our article: Does a subdomain used for sending emails need its own SPF record?

How does the 'From' email domain affect SPF when using a subdomain?

SPF validation looks at the Return-Path domain, while the 'From' header is what recipients see. If your 'From' header uses your primary domain and your Return-Path uses a subdomain, SPF will pass if the subdomain's SPF record is correct. However, DMARC alignment might require relaxed SPF alignment ( aspf=r ) for the 'From' domain to align with the subdomain's SPF pass.

What are common SPF configuration mistakes for subdomains?

A common mistake is having multiple SPF records for the same domain/subdomain or exceeding the 10-DNS lookup limit. Both can cause SPF PermError s. Also, an aspf=s (strict) DMARC SPF alignment policy can cause failures if your Return-Path domain is a subdomain of your 'From' header domain.

What should my SPF record look like for a subdomain?

You should include all authorized sending sources (e.g., your ESP's SPF record via an include mechanism) in the TXT record for your subdomain. For instance, v=spf1 include:espservice.com ~all .

How can I check if my SPF configuration is working correctly?

DMARC aggregate reports provide detailed feedback on your email authentication results, including SPF and DKIM passes/failures. Regularly reviewing these reports can help you identify if your SPF record is correctly configured for your subdomain and if DMARC alignment is succeeding.

How to configure SPF when sending from a subdomain with a different 'from' email domain? - Technical - Email deliverability - Knowledge base

Sending emails from a subdomain while maintaining a different 'From' email domain in the header can be a tricky balancing act. Many marketers and system administrators face challenges ensuring that these emails pass authentication checks and reach the inbox. It's a common scenario where, for instance, your marketing emails might originate from a subdomain like news.yourcompany.com but the 'From' address visible to recipients is info@yourcompany.com. This configuration, while seemingly straightforward, often leads to SPF (Sender Policy Framework) failures if not handled correctly.

The core of the issue often lies in how email authentication protocols, particularly SPF, interpret and validate the various domains involved in an email's journey. Understanding the difference between the 'From' header domain (what recipients see) and the 'Return-Path' domain (used for SPF checks) is crucial. A misconfiguration here can result in your legitimate emails being flagged as spam or outright rejected, impacting your overall email deliverability.

Suped DMARC monitoring

Free forever, no credit card required

Learn more

Trusted by teams securing millions of inboxes

The fundamentals of SPF and subdomains

SPF is designed to prevent email spoofing by allowing domain owners to specify which mail servers are authorized to send email on their behalf. This is done by publishing an SPF record, a TXT record in your DNS, which lists authorized IP addresses and domains. When an email is received, the recipient's mail server checks the SPF record of the domain found in the email's Return-Path header (also known as the Envelope From address) against the sending IP address.

The critical point here is that SPF checks the Return-Path domain, not necessarily the 'From' header domain that end-users see in their email client. When you send from a subdomain (e.g., marketing.yourdomain.com) but set your 'From' header to your main domain (yourdomain.com), the Return-Path domain will typically be the subdomain. Therefore, the SPF record must be correctly configured for that sending subdomain.

It's a common misconception that SPF records cascade from the main domain to its subdomains. This is not how SPF works, as a subdomain does not inherently inherit the SPF policy of its parent domain. Each subdomain you use to send email needs its own dedicated SPF record that authorizes the specific sending infrastructure for that subdomain. For a more in-depth look at how SPF interacts with different domains, you can refer to this comprehensive guide on SPF for subdomains.

Understanding SPF and DMARC alignment

While SPF validates the Return-Path domain, DMARC (Domain-based Message Authentication, Reporting & Conformance) is the protocol that ties everything together by checking the alignment between the 'From' header domain and the domains validated by SPF and DKIM (DomainKeys Identified Mail). For SPF to pass DMARC alignment, the domain in the Return-Path header must either exactly match (strict alignment, aspf=s) or be a subdomain of (relaxed alignment, aspf=r) the 'From' header domain.

When you're sending from a subdomain (e.g., sub.example.com) but your 'From' email domain is the primary domain (example.com), you'll need to rely on relaxed SPF alignment for DMARC. This is because the Return-Path domain (subdomain) is a child of the 'From' header domain (primary domain), satisfying the relaxed alignment requirement. If your DMARC record specifies strict SPF alignment (aspf=s), then SPF will fail DMARC alignment, even if the SPF check itself passes. This is a common cause of DMARC verification failures.

You can examine your DMARC record using a free DMARC record generator or checker to ensure your alignment settings are appropriate for your sending strategy. If aspf=s is present, it will mandate an exact match, which isn't suitable for a primary 'From' domain with a subdomain Return-Path. In such cases, DKIM authentication often becomes the primary mechanism for DMARC alignment, as DKIM can sign with a domain that matches the 'From' header, even if the Return-Path is a subdomain.

Configuring your SPF record for the subdomain

To correctly configure SPF for your subdomain when using a different 'From' email domain, you'll need to create a specific TXT record for that subdomain. This record should list all authorized mail servers (IP addresses or include mechanisms for third-party sending services) that will be sending emails with that subdomain as the Return-Path. Remember, only one SPF record is allowed per domain or subdomain.

Here's an example of what an SPF record for a subdomain might look like. Let's say you're using marketing.yourdomain.com as your sending subdomain and you use an Email Service Provider (ESP) that requires an include mechanism. If you use multiple services, you would simply add more include statements up to the 10-DNS lookup limit.

Example SPF record for a subdomaindns

Host: marketing.yourdomain.com
Type: TXT
Value: v=spf1 include:esp.com include:anotheresp.net ~all

The ~all mechanism at the end signifies a softfail, meaning emails from unauthorized senders may still be accepted but marked as suspicious. For stricter policies, you can use -all (fail), which tells receiving servers to reject unauthorized emails. Google's documentation on SPF provides further details on these mechanisms. Keep in mind that when using external services like

Microsoft 365 or

AWS SES, they often provide specific include values to add to your SPF record.

Common pitfalls and troubleshooting

One of the most common issues arises from the DNS lookup limit. An SPF record cannot cause more than 10 DNS lookups to validate the sending server. Each include, a, mx, or ptr mechanism counts as one lookup. Exceeding this limit results in a PermError, effectively making your SPF record invalid and causing authentication failures. This is a crucial point to check, especially when using multiple email sending services or ESPs.

Another pitfall is having multiple SPF records for the same domain or subdomain. This will also cause an SPF PermError. All authorized sending sources for a domain or subdomain must be consolidated into a single SPF TXT record. If you are integrating a new email service, you must merge the new SPF mechanisms into your existing record rather than creating a separate one.

Regularly reviewing your DMARC aggregate reports is essential for identifying SPF authentication issues. These reports provide data on whether your emails are passing SPF, DKIM, and DMARC checks, and from which IP addresses they are being sent. This can help you quickly pinpoint misconfigurations that affect your email's journey to the inbox.

Scenario: From domain and sending subdomain

From header domain: yourdomain.com
Return-Path domain: news.yourdomain.com
DMARC policy: p=quarantine, aspf=r (relaxed SPF alignment)

Outcome

SPF passes if the marketing.yourdomain.com SPF record is correct. DMARC also passes alignment because the subdomain is a child of the primary domain, satisfying the relaxed SPF alignment setting. This is the recommended configuration.

Scenario: Strict DMARC alignment

From header domain: yourdomain.com
Return-Path domain: news.yourdomain.com
DMARC policy: p=reject, aspf=s (strict SPF alignment)

Outcome

SPF passes the initial check for news.yourdomain.com. However, DMARC alignment for SPF fails because news.yourdomain.com is not an exact match for yourdomain.com. This can lead to emails being rejected or quarantined depending on the DMARC policy. You'll need to ensure DKIM alignment in this scenario.

Key takeaways for reliable email delivery

Properly configuring SPF when sending from a subdomain with a different 'From' email domain requires attention to detail, particularly concerning the Return-Path domain and DMARC alignment settings. By ensuring each sending subdomain has its own accurate SPF record and understanding the implications of relaxed versus strict DMARC alignment, you can significantly improve your email deliverability.

Always remember to merge SPF records rather than creating new ones, stay within the DNS lookup limit, and regularly monitor your DMARC reports for insights into your email authentication performance. This proactive approach will help keep your emails out of the spam folder and ensure they reach your recipients effectively.

Views from the trenches

Best practices

Always create a separate SPF record for each subdomain you use to send emails, as SPF policies do not inherently cascade from the main domain.

Consolidate all authorized sending sources into a single SPF record for each domain or subdomain to avoid PermError issues.

Ensure your DMARC record uses relaxed SPF alignment (aspf=r) if your Return-Path domain is a subdomain of your From header domain, or ensure DKIM alignment is in place.

Common pitfalls

Assuming SPF records from the main domain automatically cover subdomains, leading to authentication failures.

Creating multiple SPF TXT records for the same domain or subdomain, which invalidates the SPF record.

Exceeding the 10 DNS lookup limit in an SPF record, causing a PermError and authentication failure.

Expert tips

Use tools to check your SPF record's validity and DNS lookup count before deployment.

If SPF alignment is an issue due to strict DMARC policy on the main domain, ensure your DKIM authentication is robust, as DKIM alignment often offers more flexibility for subdomains.

Implement DMARC with a p=none policy initially to gather reports and debug any authentication issues before enforcing stricter policies.

Expert view

Expert from Email Geeks says SPF is required for each subdomain, while DKIM can use a shared domain or a key for each subdomain, and DMARC/BIMI cascade to all subdomains from the organization domain level.

2021-03-03 - Email Geeks

Expert view

Expert from Email Geeks explains that the Envelope From is the SPF domain, so whatever that is needs SPF to be properly configured.

2021-03-03 - Email Geeks