Summary
When establishing email sending subdomains, the cornerstone of deliverability rests on robust DNS authentication. Essential records include SPF, DKIM, and DMARC, all configured as TXT records, which are vital for verifying sender identity, preventing spoofing, and maintaining a positive sender reputation. While MX records are primarily for receiving mail and thus generally unnecessary for outbound-only subdomains, the PTR (Pointer) record, or reverse DNS, is critical. This record maps the sending IP address back to the hostname, a common check performed by receiving mail servers. Conversely, A records, which map a domain to an IP address, are typically not required for the sole purpose of email sending, particularly when leveraging an Email Service Provider (ESP) that manages the underlying sending infrastructure. Similarly, SSL certificates, though crucial for encrypting SMTP connections via TLS, are not DNS records for a sending subdomain; they are installed on the mail servers to secure the email transport, separate from DNS configuration.
Key findings
- Authentication Records are Key: SPF, DKIM, and DMARC (all TXT records) are essential DNS configurations for authenticating email sending subdomains, crucial for deliverability and reputation.
- A Records Not Required: A records are generally not needed for email sending subdomains, especially when using an ESP, as their primary function is web presence or direct IP mapping, not email routing.
- SSL Certificates Are Server-Side: SSL certificates are not DNS records and are not required for a sending subdomain's DNS setup; they encrypt SMTP connections (TLS) and are installed on mail servers.
- PTR Record is Critical: The PTR record (reverse DNS), which maps the sending IP address to the hostname, is vital for deliverability and is typically managed by the ESP or server provider.
- MX Records Unnecessary for Outbound: MX records are not required for outbound-only email sending subdomains and can even pose security risks if present.
Key considerations
- ESP Guidance is Paramount: Always follow your Email Service Provider's specific instructions for DNS setup, as they often utilize CNAME records to delegate sending infrastructure.
- Isolate Reputation with Subdomains: Employ dedicated subdomains for different email types, such as transactional or marketing, to effectively isolate and manage sender reputation.
- Unique SPF/DKIM per Subdomain: Configure distinct SPF and DKIM records for each sending subdomain to ensure proper authentication and maintain isolated reputations.
- DMARC Applies by Default: Be aware that DMARC policies generally apply to all subdomains by default, though specific subdomain policies can be defined using the 'sp' tag if needed.
- PTR Over A Records: Focus on the sending IP's PTR record for deliverability, recognizing that while A records aren't strictly for email sending, they might be part of a reverse DNS chain or used for web redirects.
What email marketers say
11 marketer opinions
For subdomains specifically designated for email sending, the focus shifts entirely to robust authentication and reputation management, rather than traditional web-related DNS records. The most crucial DNS configurations are SPF, DKIM, and DMARC records, all of which are typically set up as TXT records. These are indispensable for verifying sender identity, preventing unauthorized use of your domain, and ensuring your emails reach the inbox. While MX records are solely for receiving mail and are therefore unnecessary for outbound-only subdomains, the PTR (Pointer) record, also known as reverse DNS, is a vital deliverability component that maps the sending IP address to its hostname, a common check performed by recipient mail servers. Conversely, A records, which link a domain to an IP address for web hosting, are generally not required for the act of sending emails from a subdomain, particularly when leveraging an Email Service Provider (ESP) which manages the underlying sending infrastructure. Similarly, SSL certificates, although fundamental for encrypting SMTP connections via TLS, are implemented on the mail servers to secure email transport and are not a type of DNS record for the sending subdomain itself.
Key opinions
- Essential Authentication Records: For email sending subdomains, SPF, DKIM, and DMARC are the primary DNS records required. These TXT records are fundamental for authenticating your emails, preventing spoofing, and building a strong sender reputation with receiving mail servers.
- A Records Not for Email Sending: A records, which map domains to IP addresses for web presence, are generally not necessary for the sole purpose of sending emails from a subdomain. When using an ESP, they handle the underlying IP mapping for email delivery.
- SSL Certificates Secure Transport, Not DNS: SSL certificates are not DNS records themselves nor are they required for a subdomain's DNS setup for email sending. Their role is to enable TLS encryption, securing the SMTP connection between mail servers and ensuring data integrity during transit.
- PTR Record is Critical for IP Validation: The PTR (Pointer) record, often referred to as reverse DNS, is crucial for email deliverability. It maps the sending IP address back to the associated hostname, a check frequently performed by receiving mail servers to verify legitimacy.
- MX Records for Inbound Mail Only: MX records define where incoming mail should be delivered. For outbound-only email sending subdomains, MX records are not required and are often omitted as their purpose is solely for receiving, not sending, email.
Key considerations
- Adhere to ESP Guidelines: Always follow your Email Service Provider's specific instructions for DNS setup, as they often use CNAME records to manage the sending infrastructure, simplifying your configuration.
- Strategic Subdomain Usage: Employ distinct subdomains for different email categories, such as transactional or marketing messages. This practice is key to isolating and effectively managing sender reputation across your email streams.
- Unique Authentication for Each Subdomain: Each sending subdomain should have its own dedicated SPF and DKIM records. This ensures proper authentication and allows for independent reputation management, preventing issues with one stream from impacting another.
- DMARC Policy Inheritance and Customization: Understand that DMARC policies generally extend to all subdomains by default. However, you have the option to define specific policies or reporting for individual subdomains using the 'sp' tag if different behaviors are desired.
- Prioritize PTR for Deliverability: While A records might be present, the critical element for email deliverability is the PTR record, or reverse DNS, which maps the sending IP address back to the hostname. This is a common check by receiving mail servers, and your ESP typically manages it.
Marketer view
Email marketer from Email Geeks explains that for sending emails from a subdomain, DNS records such as TXT for SPF, MX, TXT for DKIM, and TXT for DMARC are crucial. He clarifies that A records are not required for email sending, but proper authentication records are essential.
8 Mar 2022 - Email Geeks
Marketer view
Email marketer from Email Geeks suggests following the ESP's instructions for setting up subdomains. He notes that while A records are not essential for email sending, it can be friendly to have them point to a web server that redirects to the main website. He explicitly states that SSL certificates, including wildcard certificates, are not needed for sending emails from these subdomains and clarifies their purpose is for web presence transparency, not email deliverability.
28 Jun 2021 - Email Geeks
What the experts say
1 expert opinions
For email sending subdomains, the foundational DNS requirements center on sender authentication and proper IP validation. The primary records needed are SPF, DKIM, and DMARC, all configured as TXT records, which are crucial for verifying sender identity. A critical, yet often misunderstood, requirement is the A record for the sending subdomain; it is typically necessary to facilitate robust reverse DNS (PTR record) validation, where the sending IP's PTR record resolves to the subdomain and the subdomain's A record points back to that IP, establishing forward-confirmed reverse DNS (FCrDNS). Conversely, MX records are strictly for mail reception and are not required for sending subdomains, potentially introducing security risks if present. Lastly, SSL certificates are not DNS record types; their role is to secure the email transport connection, such as via STARTTLS, and they are not part of a sending subdomain's DNS configuration.
Key opinions
- Core Authentication Records: SPF, DKIM, and DMARC, all TXT records, are the essential DNS configurations for email sending subdomains to authenticate sender identity.
- A Record for Reverse DNS Validation: An A record for the sending subdomain is typically required to enable forward-confirmed reverse DNS (FCrDNS), where the subdomain's A record points to the sending IP, completing the validation loop with the PTR record.
- MX Records Are Not Needed: MX records are solely for receiving mail and should not be present on email sending subdomains, as they serve no purpose for outbound mail and can introduce security vulnerabilities.
- SSL Certificates Secure Transport: SSL certificates are distinct from DNS records; they are used to encrypt SMTP transport connections (e.g., STARTTLS) and are not a requirement for the DNS setup of a sending subdomain.
Key considerations
- Ensure FCrDNS Configuration: It's crucial for the sending subdomain to have an A record that points back to the sending IP address, completing the forward-confirmed reverse DNS (FCrDNS) chain initiated by the PTR record and enhancing deliverability.
- Implement Core Authentication Records: Always configure SPF, DKIM, and DMARC TXT records precisely for each email sending subdomain to ensure proper authentication and combat spoofing.
- Strictly Exclude MX Records: For subdomains dedicated to sending emails, intentionally avoid adding MX records to prevent misdirection of inbound mail and mitigate potential security risks.
- Differentiate SSL from DNS: Understand that SSL certificates secure the transport of email (e.g., via STARTTLS) and are not a type of DNS record or a direct part of the subdomain's DNS configuration.
Expert view
Expert from Spam Resource explains that for email sending subdomains, essential DNS records include SPF (TXT), DKIM (TXT), and highly recommended DMARC (TXT) records. An A record is typically required for the sending subdomain to facilitate reverse DNS validation, where the sending IP's PTR record resolves to the subdomain, and the subdomain's A record points back to the IP. Conversely, MX records are not needed for sending subdomains as they are solely for mail reception and could introduce security vulnerabilities if present. SSL certificates are not DNS record types and are not a requirement for the DNS configuration of email sending subdomains, though they secure transport connections like STARTTLS.
26 Mar 2024 - Spam Resource
What the documentation says
5 technical articles
For email sending subdomains, successful deliverability hinges on correctly configured DNS authentication records. The core requirements include SPF, DKIM, and DMARC, each set up as TXT records, which together verify sender identity, prevent message tampering, and protect against domain spoofing. While these TXT records are paramount for authentication, the reverse DNS (PTR record) for the sending IP address is also a crucial deliverability factor, mapping the IP to its hostname, a check frequently performed by recipient mail servers. Importantly, A records are generally not required for the email sending subdomain itself unless it's also hosting web content, as email flow relies on the sending server's IP and its PTR record, with many Email Service Providers managing these underlying infrastructure records. Similarly, SSL certificates, which are essential for encrypting SMTP connections via TLS, are installed on mail servers to secure transport and are not DNS records to be configured on the sending subdomain.
Key findings
- Core Authentication Records: SPF, DKIM, and DMARC, all TXT records, are essential for email sending subdomains to authenticate messages and prevent spoofing.
- Subdomain-Specific Authentication: Unique SPF records, or coverage by the main domain's SPF, along with unique DKIM records, are vital for each sending subdomain to ensure proper authentication.
- DMARC's Default & Custom Policies: DMARC policies inherently apply to subdomains, but specific policies and reporting for individual subdomains can be defined using the 'sp' tag.
- PTR Record for IP Validation: The reverse DNS, or PTR record, for the sending IP address is critical for deliverability checks, mapping the IP back to the hostname, and is typically managed by the email service provider.
- A Records Not for Email Flow: A records are generally not required for the email sending subdomain's DNS configuration unless it serves web content, as email relies on the sending server's IP and PTR record.
- SSL Certificates Are Server-Side: SSL certificates are used to encrypt SMTP traffic via TLS and are installed on mail servers, distinct from DNS records for the sending subdomain.
Key considerations
- Configure SPF for Subdomains: Ensure each email sending subdomain has a dedicated SPF record or is explicitly covered by the main domain's SPF to authorize sending servers.
- Publish Unique DKIM Records: Set up distinct DKIM TXT records, potentially with different selectors, for each sending subdomain to ensure message integrity and sender authenticity.
- Tailor DMARC for Subdomains: Utilize the DMARC 'sp' tag to implement specific policies or reporting for subdomains, providing granular control over authentication enforcement.
- Rely on ESP for Infrastructure DNS: When using an Email Service Provider, follow their specific guidance as they often handle the underlying A records, PTR records, and SSL certificates for their sending infrastructure.
- Exclude MX Records from Sending Subdomains: Avoid adding MX records to subdomains designated solely for sending email, as they are unnecessary and can introduce security or deliverability issues.
Technical article
Documentation from Internet Engineering Task Force (IETF) explains that SPF (Sender Policy Framework) is defined via a DNS TXT record, specifying authorized mail servers for a domain. For email sending subdomains, it's crucial to have a dedicated SPF record or ensure the main domain's SPF record is configured to cover the subdomain's sending activities, as it prevents unauthorized senders from spoofing the subdomain.
6 Apr 2023 - Internet Engineering Task Force (IETF)
Technical article
Documentation from Internet Engineering Task Force (IETF) shares that DKIM (DomainKeys Identified Mail) authentication relies on a cryptographic signature in email headers, verified against a public key published in a DNS TXT record. For email sending subdomains, a unique DKIM record (or records, using different selectors) must be published for each subdomain used to send email, ensuring message integrity and sender authenticity.
25 Aug 2021 - Internet Engineering Task Force (IETF)
Are A records for return-path domains necessary for email deliverability or required by RFC standards?
Does a subdomain used for sending emails need its own SPF record?
How do I configure DNS records to send emails from two different ESPs using the same subdomain?
How do I set up SPF and DKIM records for new subdomains when using third-party email services?
Is an A record needed for email sending domains?
What are the best practices for DNS lookups, SPF records, and subdomain usage for email deliverability?
