What are the best practices for DNS lookups, SPF records, and subdomain usage for email deliverability?

Key findings

• SPF lookup limit: SPF records are restricted to a maximum of 10 DNS lookups. Exceeding this can lead to PermError failures, causing legitimate emails to be rejected or marked as spam by compliant receivers. Learn more about how broken SPF records affect deliverability.
• Subdomain solution: Using subdomains for different email sending purposes (e.g., marketing.company.com) allows each subdomain to have its own SPF record, effectively bypassing the 10-lookup limit on the root domain. This is a common and recommended practice for complex sending infrastructures.
• Impact on deliverability: While subdomains solve the lookup limit, switching a primary sending domain to a new subdomain can negatively impact deliverability initially, as the new domain needs to build its own sending reputation. The degree of impact depends on the health of the existing email program and proper warm-up.
• Dedicated IP vs. subdomain: A dedicated IP can reduce DNS lookups by directly listing the IP, but it requires consistent volume and active management to maintain a good sending reputation, which might not be suitable for low-volume senders (e.g., 10k emails/month).
• Avoiding cousin domains: Creating domains similar to your main organizational domain (e.g., info-company.com) is strongly discouraged as it can confuse recipients and often signals phishing or spam, leading to significant deliverability issues.

Key considerations

• Audit SPF records: Regularly review your SPF record to ensure it does not exceed the 10-lookup limit and lists only authorized sending sources. This is a fundamental aspect of SPF best practices.
• Subdomain strategy: When using subdomains, ensure each one has its own properly configured SPF record. Understand that each subdomain effectively starts with a new sending reputation that needs to be built over time. Consider when a subdomain needs its own SPF record.
• Reputation isolation: Subdomains can help isolate the reputation of different email streams. If marketing emails cause a reputation issue, it may not immediately impact critical transactional emails sent from another subdomain.
• Gradual transition: If migrating email sending to a new subdomain, plan a gradual transition and warm-up process to build reputation and minimize negative impact on deliverability.

Key opinions

• Subdomain utility: Using subdomains for different email sending purposes is generally seen as a good approach, especially when dealing with the SPF 10-lookup limit or when using multiple third-party email service providers (ESPs).
• Organizational vs. marketing domains: Some marketers suggest using the organizational domain for marketing emails if bounces and complaints can be managed effectively without impacting business emails. However, for vendors, subdomains are often preferred. This approach also helps with managing domain reputation.
• Impact of switching: Marketers understand that switching the primary sending domain to a subdomain will impact deliverability, likely negatively at first, as the new domain's reputation must be built.
• Dedicated IP viability: For low-volume senders, maintaining a dedicated IP can be challenging and might not be the best solution for addressing SPF lookup limits. The complexity of IP maintenance often outweighs the benefits for smaller senders.

Key considerations

• Preventing SPF failures: Marketers need to be proactive in preventing SPF failures by staying within the DNS lookup limit. This might involve optimizing the SPF record or using subdomains.
• Reputation management: Recognize that changes to sending domains or IPs can affect sender reputation. Marketers should be prepared for potential dips in deliverability and have a strategy for rebuilding trust with ISPs.
• DNS record authentication: Marketers should be aware that DNS records like SPF, DKIM, and DMARC are crucial for authenticating email sources and ensuring legitimacy. Setting up SPF records does not have to be stressful, and simple guides are available.
• Strategic subdomain use: Consider the strategic advantages of subdomains for isolating different types of email traffic, which can help manage reputation and compliance for specific sending needs. Learn why you should use subdomains for email marketing deliverability.

Key opinions

• No single solution: Experts stress that best practices for DNS lookups, SPF records, and subdomain usage are highly context-dependent, meaning there's no one-size-fits-all answer for every email program.
• Strict SPF compliance: SPF queries that exceed the 10-lookup limit will cause authentication failures at any compliant email receiver, resulting in emails being blocked or sent to spam folders. This is a non-negotiable standard for deliverability. This also applies to SPF 'a' records.
• Subdomain impact: While subdomains can resolve SPF lookup issues, actively switching the domain used for sending emails, even to a subdomain, will likely have an initial negative impact on deliverability. Reputation must be built anew.
• Avoid cousin domains: Experts strongly advise against using cousin domains due to their association with phishing and increased risk of being blocklisted.
• Dedicated IP nuances: A dedicated IP is a distinct consideration from subdomain usage for SPF limits. It requires careful management and sufficient sending volume to establish and maintain a positive reputation.

Key considerations

• Holistic view: Experts recommend a thorough understanding of the specific mail program and its historical health before making major changes to DNS or sending domains. A piecemeal approach without full context can be detrimental.
• Prioritize authentication: Implement SPF, DKIM, and DMARC in conjunction to achieve comprehensive email authentication. These three protocols work together to verify sender legitimacy and improve inbox placement. For more information, check out SPF, DKIM, and DMARC best practices.
• Monitor for SPF errors: Continuously monitor SPF performance, particularly for TempError or PermError issues, which indicate authentication problems that directly impact deliverability. Understanding and demystifying SPF TempError in DMARC reports is crucial.
• Strategic domain choices: Careful consideration should be given to which domains or subdomains are used for specific email types, ensuring alignment with brand and avoiding practices that could lead to negative reputation.

Key findings

• SPF record purpose: According to RFC 7208, SPF records are designed to specify which mail servers are authorized to send email on behalf of a domain, serving as a primary defense against email spoofing.
• DNS lookup limit enforcement: The SPF specification (RFC 7208) strictly enforces a maximum of 10 DNS lookups during SPF record evaluation. Exceeding this limit results in a `PermError`, causing email authentication to fail.
• Role of DMARC: RFC 7601 defines DMARC as a protocol that builds upon SPF and DKIM, allowing domain owners to set policies for how unauthenticated emails should be handled and to receive reports on their email traffic. It requires alignment for both SPF and DKIM for successful authentication.
• Subdomain benefits: Using subdomains for distinct email types (e.g., marketing, transactional) is a documented strategy to manage DNS lookups more efficiently and isolate the reputation of different email streams. Each subdomain needs its own set of authentication records.

Key considerations

• Combined authentication: Documentation consistently recommends implementing SPF, DKIM, and DMARC together. These three standards collectively provide robust email authentication and are key for strong sender reputation. For more details, refer to email authentication best practices.
• DNS lookup limit awareness: Always ensure SPF records adhere to the 10-DNS lookup limit. Exceeding this limit will cause SPF checks to fail, regardless of the validity of the included mechanisms.
• Subdomain configuration: When using subdomains, remember that each will require its own set of DNS records, including SPF, DKIM, and DMARC, to properly authenticate email. A simple guide to DMARC, SPF, and DKIM can help.
• Dedicated IPs with ESPs: For senders using third-party ESPs, understanding how SPF, DKIM, DMARC, and dedicated IPs interact is vital for optimal deliverability and proper authentication.