Summary
Effective email deliverability hinges on precise DNS configurations, particularly concerning SPF records and subdomain strategy. A critical SPF best practice is to ensure only one record exists per domain, including all authorized sending services, and strictly adhering to the 10-DNS-lookup limit to prevent authentication failures. Subdomains are valuable tools for isolating sender reputation, allowing different email types like marketing and transactional emails to have distinct sending histories, thereby protecting overall deliverability. Additionally, maintaining valid PTR records, ensuring speedy DNS resolution, and regularly auditing all DNS entries are foundational for consistent inbox placement.
Key findings
- SPF Lookup Limit: SPF records are limited to 10 DNS lookups; exceeding this limit will cause SPF validation to fail, directly impacting email deliverability.
- Single SPF Record: A domain should only ever have one SPF record; multiple SPF records cause authentication failures and severely harm email deliverability.
- Subdomain Reputation: Using separate subdomains for different email types, such as transactional versus marketing, helps create isolated sending reputations and prevents deliverability issues in one stream from affecting others.
- PTR Record Importance: A valid PTR record (reverse DNS) for your sending IP address is a critical DNS best practice, as many email servers perform PTR lookups and may reject messages from IPs without a matching record.
- SPF Mechanisms: Using '~all' (softfail) in SPF records is generally recommended during DMARC monitoring and for gradual implementation, while '-all' (hardfail) should only be used once all legitimate sending sources are verified.
- DNS Audits: Regular audits of your DNS records, including SPF, DKIM, and DMARC, are essential to prevent authentication failures, reduce spam classifications, and maintain a strong sender reputation.
- DNS Resolution: Reliable and speedy DNS resolution is a fundamental best practice for email deliverability; delays or failures can lead to messages being rejected or delayed.
- TTL Settings: Appropriate TTL (Time-to-Live) settings for DNS records are crucial, as shorter TTLs allow quicker propagation of updates to SPF, DKIM, and DMARC records.
- DMARC and Subdomains: DMARC policies inherently apply to subdomains unless explicitly overridden, and maintaining proper SPF and DKIM alignment for all sending sources, including those on subdomains, is crucial for DMARC validation.
- Delegating DNS: Delegating subdomain DNS management by creating NS records that point to your Email Service Provider's (ESP) nameservers is a crucial best practice for ensuring proper configuration and alignment.
- SPF as Foundation: SPF is a foundational email authentication standard that helps recipient mail servers verify the sender's legitimacy, reducing the likelihood of emails being marked as spam or rejected due to spoofing.
Key considerations
- Organizational vs. Subdomain: Consider using your organizational domain for marketing if you can effectively manage bounces and complaints; otherwise, a subdomain is appropriate, especially when external vendors are involved.
- Avoiding 'Cousin' Domains: Strongly avoid using 'cousin' domains, which are close but distinct from your organizational domain, as they can have negative deliverability implications.
- Impact of Domain Changes: Switching the sending domain, such as moving to a subdomain, is a major change that will likely have a negative impact on deliverability and should not be the first response to a potential problem.
- Consolidating SPF: To stay within the 10-DNS-lookup limit for SPF records, consolidate all authorized sending services into a single record, removing redundant or unused mechanisms.
- DMARC Policy for Subdomains: When deploying a DMARC 'p=reject' policy, especially for an organizational domain that implicitly covers subdomains, ensure all legitimate email streams from those subdomains have proper SPF and DKIM alignment to prevent rejection of valid emails.
- Risk vs. Reward: There are safer and more reckless approaches when changing a domain, and both could work depending on your willingness to take risks.
What email marketers say
11 marketer opinions
Robust email deliverability relies heavily on meticulously configured DNS settings, especially for SPF records and strategic subdomain use. A core tenet for SPF is maintaining a single record per domain, encompassing all authorized sending services, and strictly observing the ten-DNS-lookup maximum to avoid authentication failures. Subdomains are powerful for segmenting sender reputation, which allows distinct email categories like marketing and transactional messages to operate with independent sending histories, safeguarding overall deliverability. Furthermore, foundational practices include maintaining valid PTR records, ensuring rapid DNS resolution, and conducting regular audits of all DNS entries to achieve consistent inbox placement.
Key opinions
- SPF Lookup Limit Adherence: SPF records must not exceed ten DNS lookups; exceeding this limit will cause authentication to fail.
- Single SPF Record Rule: Only one SPF record should exist per domain, incorporating all legitimate sending services to prevent authentication errors.
- Subdomain for Reputation Isolation: Strategically employing distinct subdomains for varying email categories, such as transactional or marketing, enables the segmentation of sender reputation, effectively isolating potential deliverability challenges.
- PTR Record Necessity: The presence of a valid PTR- reverse DNS- record for your sending IP address is a critical DNS best practice, as numerous email servers conduct PTR lookups and may reject messages originating from IPs lacking a matching record.
- SPF Mechanism Usage: Employ "~all" (softfail) during DMARC monitoring for gradual implementation, and "-all" (hardfail) only after verifying all legitimate sending sources through DMARC reports.
- Regular DNS Audits: Routine audits of all DNS records- including SPF, DKIM, and DMARC- are essential to prevent authentication failures, minimize spam classifications, and preserve a robust sender reputation.
- Speedy DNS Resolution: Ensuring prompt and reliable DNS resolution is a foundational best practice for email deliverability; any delays or failures can result in messages being rejected or experiencing significant delays.
- DMARC and Subdomain Alignment: When implementing a DMARC 'p=reject' policy, it's crucial to ensure all legitimate subdomains have proper SPF and DKIM alignment to prevent email rejection.
Key considerations
- Organizational vs. Subdomain: Evaluate using your primary organizational domain for marketing if managing bounces and complaints is feasible; otherwise, a subdomain is often more appropriate, especially with external vendors.
- Avoid 'Cousin' Domains: Steer clear of domains that are similar but distinct from your primary organizational domain, as they can negatively impact deliverability.
- Domain Change Impact: Switching sending domains, such as moving to a subdomain, is a significant change that can negatively affect deliverability and should be considered a last resort, not a first response to issues.
- Consolidating SPF Entries: To remain within the 10-DNS-lookup limit, consolidate SPF includes by carefully listing only necessary and authorized sending services.
- Risk Assessment for Domain Changes: Recognize that domain changes carry varying levels of risk, and the approach chosen should align with the organization's willingness to accept potential deliverability impacts.
Marketer view
Email marketer from Email Geeks explains that while changing include parts to specific IP addresses may not always work, using a subdomain generally solves the problem of too many DNS lookups. He notes there are safer and more reckless approaches when changing a domain, and both could work depending on the risk willingness.
21 May 2024 - Email Geeks
Marketer view
Email marketer from Email Geeks suggests that the best practice for marketing emails might be to use your organizational domain, provided you can effectively manage bounces and complaints without affecting business emails. If external vendors are used for marketing, a subdomain could be appropriate. He strongly advises against using "cousin" domains, which are close but distinct from the organizational domain.
31 Dec 2024 - Email Geeks
What the experts say
3 expert opinions
For robust email deliverability, the meticulous configuration of DNS settings remains paramount, with particular emphasis on SPF records and the strategic deployment of subdomains. Beyond ensuring a singular SPF record and proper PTRs, a critical best practice involves stringent adherence to the 10-DNS-lookup limit for SPF records to prevent validation failures. Furthermore, the judicious use of subdomains is invaluable for segmenting sender reputation, allowing different email types, such as marketing and transactional messages, to maintain independent sending histories, thereby safeguarding overall domain health and securing consistent inbox placement.
Key opinions
- SPF Authentication Purpose: SPF (Sender Policy Framework) functions as a crucial email authentication standard that specifies which mail servers are permitted to send email on behalf of a domain, thereby aiding recipient servers in validating sender legitimacy and significantly reducing the risk of emails being marked as spam or rejected due to unauthorized sending.
- SPF DNS Lookup Constraint: Adhering to the strict 10 DNS lookup limit for SPF records is a fundamental best practice; exceeding this limit triggers an SPF 'PermError,' which directly causes authentication failure and severely impairs email deliverability.
- Subdomain Reputation Management: Employing distinct subdomains for varied email streams- for instance, transactional emails versus marketing campaigns- is an effective strategy for managing sender reputation, as it enables the isolation of potential deliverability issues, ensuring that problems in one stream do not adversely affect the reputation of other email types originating from the same parent domain.
Key considerations
- Proactive SPF Lookup Control: To maintain optimal email deliverability and avoid 'PermError' failures, it is imperative to proactively manage SPF records by consolidating entries, eliminating any redundant or unused mechanisms, and exercising caution when incorporating 'include' or 'redirect' directives to stay within the 10-DNS-lookup limit.
- Strategic Subdomain Allocation: Deliberately assigning separate subdomains to different categories of email communication- such as dedicating one for transactional messages and another for marketing blasts- facilitates precise reputation tracking and troubleshooting, which ultimately protects the broader reputation of the primary domain from isolated deliverability challenges.
Expert view
Expert from Spam Resource explains that SPF (Sender Policy Framework) is an email authentication standard that specifies which mail servers are authorized to send email on behalf of a domain. By publishing an SPF record in your domain's DNS, you help recipient mail servers verify the sender's legitimacy, reducing the likelihood of your emails being marked as spam or rejected due to spoofing. He emphasizes SPF's foundational role in email deliverability and authentication alongside DKIM and DMARC.
16 May 2022 - Spam Resource
Expert view
Expert from Spam Resource explains that a critical best practice for SPF records is to stay within the 10 DNS lookup limit. Each 'a', 'mx', 'ptr', 'exists', and 'include' mechanism in an SPF record that requires a DNS query counts towards this limit. Exceeding this limit causes SPF validation to fail (a 'PermError'), which can significantly harm email deliverability. He advises consolidating SPF records, removing redundant or unused mechanisms, and using 'redirect' or 'include' directives judiciously to manage the number of lookups effectively.
16 Jul 2022 - Spam Resource
What the documentation says
7 technical articles
Achieving optimal email deliverability requires precise DNS record management, particularly for SPF, DKIM, and DMARC. This involves adhering to the single SPF record rule and strictly observing the 10-DNS-lookup limit, which includes nested lookups triggered by 'include' mechanisms. Strategic utilization of subdomains for different email types is crucial for isolating sender reputations. Additionally, maintaining proper DMARC alignment for all sending sources, including those on subdomains, is essential, as is setting appropriate TTLs for quick DNS propagation and considering the delegation of subdomain DNS management to Email Service Providers (ESPs) for streamlined configuration and optimal performance.
Key findings
- SPF Lookup Limit Details: SPF records are strictly limited to 10 DNS lookups. Each 'include' mechanism, along with any subsequent nested DNS lookups triggered by those included domains, counts towards this limit. Exceeding it causes SPF validation to fail, directly harming deliverability.
- Single SPF Record Rule: A domain must have only one SPF record; multiple records lead to authentication failures and severely impact email deliverability. All valid sending sources must be consolidated into this single record.
- Subdomain Reputation Isolation: Using separate subdomains for different email types, such as transactional versus marketing, creates isolated sending reputations, preventing deliverability issues in one stream from affecting others.
- DMARC Subdomain Application: DMARC policies inherently apply to subdomains unless explicitly overridden. This makes proper SPF and DKIM alignment for all sending sources, including those on subdomains, critical for successful DMARC validation and improved email deliverability.
- DNS TTL Importance: Appropriate TTL (Time-to-Live) settings for DNS records are crucial for deliverability. Shorter TTLs allow quicker propagation of updates to SPF, DKIM, and DMARC records, which is beneficial during changes, while overly long TTLs can delay critical updates.
- Delegating Subdomain DNS: Delegating subdomain DNS management to an Email Service Provider's (ESP) nameservers by creating NS records is a crucial best practice. This allows the ESP to directly manage the SPF, DKIM, and other email-related DNS records for that subdomain, ensuring proper configuration and alignment.
Key considerations
- Proactive SPF Lookup Management: Proactively manage SPF records to stay within the 10-DNS-lookup limit by consolidating entries and exercising caution with 'include' mechanisms, which can trigger additional lookups.
- Strategic Subdomain Use: Deliberately assign separate subdomains for different email categories, like transactional and marketing, to facilitate precise reputation tracking and troubleshooting, protecting the primary domain's overall reputation.
- Ensuring DMARC Alignment for Subdomains: When DMARC policies are in place, particularly 'p=reject', verify that all legitimate email streams from subdomains have correct SPF and DKIM alignment to prevent email rejection.
- Optimizing DNS TTL Settings: Implement appropriate TTL settings for all email-related DNS records to ensure timely propagation of updates, especially when making critical changes to SPF, DKIM, or DMARC.
- Leveraging ESP for Subdomain DNS: Consider delegating subdomain DNS management to your Email Service Provider (ESP) through NS records to ensure expert handling and proper alignment of SPF, DKIM, and other crucial email authentication records.
Technical article
Documentation from Mailgun explains that SPF records are limited to 10 DNS lookups to prevent recursive loops and performance issues, and exceeding this limit will cause SPF validation to fail, directly impacting email deliverability.
24 Jan 2023 - Mailgun Blog
Technical article
Documentation from SendGrid suggests using separate subdomains for different email types, such as transactional versus marketing, to create isolated sending reputations. This isolation prevents deliverability issues in one email stream from negatively affecting the performance of other crucial email types.
26 Feb 2023 - SendGrid Blog
What are common misconceptions and best practices regarding SPF records and email deliverability for small mail servers?
What are the best practices for Email Service Providers regarding HELO, rDNS, and SPF?
What are the best practices for setting up SPF, DKIM and DMARC for email authentication?
What are the best practices for SPF records and avoiding CNAMES for email authentication?
What is the best DMARC, DKIM, and SPF setup for marketing and transactional emails sent from different subdomains?
What is the best practice for selecting a subdomain for marketing emails and how does it impact deliverability?
