Suped

Where should SPF, DKIM, and DMARC records be placed for email authentication?

Summary

The placement of SPF, DKIM, and DMARC records is a fundamental aspect of email authentication, crucial for ensuring deliverability and protecting your domain from spoofing. These records, all configured as DNS TXT records, must be correctly published in your domain's DNS. While the general principle is straightforward, specific considerations arise when using subdomains for email sending, which is common for marketing or transactional emails. Proper configuration dictates that these authentication records are associated with the exact domain or subdomain used in the email's technical 'From' address (Return-Path for SPF, Header From for DKIM and DMARC).

Suped DMARC monitor
Free forever, no credit card required
Get started for free
Trusted by teams securing millions of inboxes
Company logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logo

What email marketers say

Email marketers frequently encounter questions regarding where to precisely place SPF, DKIM, and DMARC records, especially when working with various third-party email service providers (ESPs) or utilizing dedicated subdomains for campaigns. The consensus among marketing professionals points towards ensuring these records are correctly configured on the specific domain or subdomain from which emails are dispatched, aligning with best practices for email deliverability.

Marketer view

A marketer from Email Geeks notes that their previous workplace didn't have SPF records for their mailing subdomain. This led them to believe that this configuration was permissible, though it might not always be the optimal setup for deliverability.

24 Jan 2019 - Email Geeks

Marketer view

A marketer from Mailgun's blog emphasizes that strong email authentication protocols like SPF, DKIM, and DMARC are crucial for protecting email from spoofing attempts. They add that proper setup significantly improves overall email deliverability rates.

22 Jun 2023 - Mailgun

What the experts say

Email deliverability experts are unanimous: SPF, DKIM, and DMARC records must be accurately published in the DNS of the domain or subdomain that is actively sending emails. This adherence to proper DNS placement is not merely a technicality; it is a critical foundation for email authentication, directly influencing sender reputation and the successful delivery of messages to the inbox. Without precise configuration, even legitimate emails risk being flagged as spam or outright rejected by receiving mail servers, affecting your email deliverability metrics.

Expert view

An expert from Spam Resource advises that both SPF and DKIM records are domain-specific and essential for proper email authentication. They highlight that these records must be accurately published within the DNS zone file of the exact domain from which emails are being sent.

22 Mar 2025 - Spam Resource

Expert view

An expert from Word to the Wise explains that DMARC policies are critical because they provide receiving mail servers with clear instructions. These instructions dictate how to handle email messages that fail either SPF or DKIM alignment checks for the organizational domain, thereby enhancing security.

22 Mar 2025 - Word to the Wise

What the documentation says

Official documentation from various sources, including internet standards bodies (e.g., IETF RFCs) and major email service providers, consistently provides definitive guidelines on the precise placement and structural requirements for SPF, DKIM, and DMARC records. These critical email authentication protocols are almost exclusively implemented as TXT records within the Domain Name System (DNS).

Technical article

Documentation from RFC 7208, which defines SPF, specifies that SPF records are published as DNS TXT records. These records are placed at the exact domain name they are designed to protect, detailing all authorized hosts that are permitted to send email on that domain's behalf.

22 Mar 2025 - RFC 7208

Technical article

Documentation from RFC 6376, outlining DKIM, states that the DKIM public key is retrieved from a TXT record. This record is specifically located at a hostname constructed with a 'selector' subdomain, such as selector._domainkey.domain.com, within the DNS.

22 Mar 2025 - RFC 6376

9 resources

Start improving your email deliverability today

Get started
    Where should SPF, DKIM, and DMARC records be placed for email authentication? - Technical - Email deliverability - Knowledge base - Suped