When are separate SPF records needed for a domain and its subdomains?

Key findings

• Independent records: Unlike DMARC, SPF records are not inherently inherited by subdomains. Each domain and subdomain typically requires its own dedicated SPF record to accurately authorize senders. This means a separate TXT record for each subdomain used for sending email.
• Direct lookup: SPF validation is performed directly on the domain (or subdomain) specified in the Return-Path (or Envelope-From) header of an email. If this domain is a subdomain, its specific SPF record will be checked.
• Include mechanism: A parent domain's SPF record can include a subdomain's SPF record, or vice versa, to combine authorized senders. However, this must be explicitly configured and accounts for the 10-lookup limit.
• DMARC differences: While DMARC records can specify a sp tag to apply policies to subdomains, SPF lacks this cascading feature, requiring individual records or careful use of include statements.

Key considerations

• Dedicated sending subdomains: It is a best practice to use separate subdomains for different types of email sends (e.g., marketing, transactional, operational). Each of these subdomains will need its own SPF record to authorize the respective sending services. Learn more about why use email subdomains.
• 10-lookup limit: Be mindful of the 10-lookup limit for SPF records. Each include, a, or mx mechanism counts as a DNS lookup. Exceeding this limit will cause SPF validation to fail, potentially leading to deliverability issues. This is a common pitfall that can lead to SPF TempError.
• Email service provider (ESP) configuration: Many ESPs manage the SPF record for the Envelope-From domain they use, often a subdomain of their own. In such cases, you might only need to configure DKIM for your domain. Always consult your ESP's documentation, like AutoSPF's guide on SPF for subdomains, for specific instructions.
• Preventing validation failures: Improper SPF setup for subdomains can lead to authentication failures, impacting your deliverability and sender reputation. Ensure that every subdomain from which you send email has a correctly configured SPF record that authorizes all relevant sending sources.

Key opinions

• Desire for simplicity: Marketers frequently seek the easiest way to manage SPF, often hoping a single record can cover both main domains and subdomains.
• Confusion with DMARC: There's a common misconception that SPF settings cascade to subdomains in the same way DMARC policies do. This is a critical distinction, as SPF requires explicit authorization for each domain and subdomain from which emails are sent. You can learn more about DMARC and subdomain inheritance.
• Third-party ESP impact: Many marketers use ESPs that handle SPF authentication by sending from their own subdomains, simplifying the SPF setup for the marketer's primary domain.
• Troubleshooting complexity: Marketers often find themselves baffled by unexpected SPF records, especially those set up automatically by services like Google Workspace.

Key considerations

• Separate records for separate sending: If you send email from example.com and mail.example.com, each needs an SPF record. A common misconception is that the parent domain's SPF record applies to subdomains, as discussed in the WP Mail SMTP article on SPF records.
• Understanding ESP SPF handling: Verify how your email service provider handles SPF. Some manage it on their end using their own domains or subdomains, meaning you might only need to set up DKIM.
• Managing DNS lookups: When using include statements, especially those pointing to subdomains, constantly monitor your SPF DNS lookup count to avoid exceeding the limit.
• Proactive subdomain strategy: Plan your subdomain strategy (for instance, news.yourdomain.com for newsletters) from the outset to simplify SPF management and improve deliverability segregation.

Key opinions

• SPF granularity: Experts affirm that SPF records are created per exact domain or subdomain, meaning that a subdomain always requires its own SPF record if it sends mail.
• No cascading logic: Unlike DMARC, SPF does not inherently cascade its policy to subdomains. Each domain and subdomain must have its own SPF record if it is used for sending email.
• DNS lookup limit: A crucial point highlighted is the 10-lookup limit for SPF records. Exceeding this limit causes SPF validation to fail, so careful management of include mechanisms is essential.
• ESP handling: Many ESPs manage the Envelope-From domain themselves, often using their own subdomains. This means clients might only need to configure DKIM, not SPF, for such services. For additional insights, consider Spamresource's discussions on email authentication.

Key considerations

• Direct SPF placement: SPF records must be on the exact domain being evaluated. This includes subdomains. If mail is sent from mail.yourdomain.com, then mail.yourdomain.com needs an SPF record. Explore whether a subdomain needs its own SPF record.
• Avoiding redundancy: If an ESP handles SPF on their own envelope domain, you may not need to include their SPF in your main domain or subdomain records, simplifying management and reducing lookup counts.
• Correct SPF syntax and placement: Ensure that SPF records are correctly formatted as TXT records and placed at the root of the domain or subdomain they are intended to protect. Incorrect placement or syntax can lead to validation failures.
• Leveraging DMARC for policy enforcement: While SPF doesn't cascade, DMARC does. Experts advise using DMARC's sp tag or separate DMARC records for subdomains to enforce policies effectively. For more, see Word to the Wise's insights.

Key findings

• Domain-specific: SPF records are specifically tied to the domain or subdomain they are published under. There is no inherent inheritance of SPF policies from a parent domain to its subdomains.
• Explicit definition: For any subdomain that sends email, an explicit SPF record must be created. This record should list all IP addresses and include mechanisms for third-party senders authorized to send on behalf of that specific subdomain.
• Distinct from DMARC: Documentation often clarifies that SPF's behavior regarding subdomains differs from DMARC. DMARC policies can apply to subdomains through the sp tag, but SPF does not have an equivalent cascading mechanism.
• DNS lookup limits: SPF validation processes are subject to DNS lookup limits (typically 10). Exceeding this limit will result in a PermError (or TempError), causing SPF authentication to fail. Learn more about SPF and its full form.

Key considerations

• Separate SPF records for sending subdomains: Any subdomain used as the Return-Path domain in an email must have its own SPF record. This is a fundamental requirement for proper email authentication.
• DNS configuration for subdomains: When configuring SPF for a subdomain, the TXT record must be published at the specific subdomain level in your DNS settings. Consult guides like HostAdvice's SPF record for subdomain guide.
• Alignment requirements: While SPF is domain-specific, DMARC relies on alignment between the From header domain and the SPF Return-Path domain. If using subdomains for sending, ensure proper alignment or use a DMARC subdomain policy.
• Avoiding multiple SPF records per domain: While you can have separate SPF records for a domain and its subdomains, a single domain (e.g., yourdomain.com) should only have one SPF TXT record. If multiple are present, validation will likely fail.