The placement of SPF, DKIM, and DMARC records is a fundamental aspect of email authentication, crucial for ensuring deliverability and protecting your domain from spoofing. These records, all configured as DNS TXT records, must be correctly published in your domain's DNS. While the general principle is straightforward, specific considerations arise when using subdomains for email sending, which is common for marketing or transactional emails. Proper configuration dictates that these authentication records are associated with the exact domain or subdomain used in the email's technical 'From' address (Return-Path for SPF, Header From for DKIM and DMARC).
Key findings
DNS records: All SPF, DKIM, and DMARC configurations are implemented as DNS TXT records within your domain's zone file.
SPF validation: SPF (Sender Policy Framework) authenticates the sending server's IP address against a list of authorized IPs for the domain in the Return-Path (or Mail From) header.
DKIM authentication: DKIM (DomainKeys Identified Mail) uses cryptographic signatures to verify that an email's content has not been tampered with in transit and that it originates from an authorized sender.
DMARC policy: DMARC (Domain-based Message Authentication, Reporting, and Conformance) dictates how receiving servers should handle emails that fail SPF or DKIM authentication, based on your defined policy.
Key considerations
Domain alignment: DMARC relies on domain alignment, meaning the 'From' domain must match the SPF or DKIM authenticated domain. This is often the trickiest part of the setup.
Subdomain requirements: If you send emails from a subdomain (e.g., email.yourdomain.com), it requires its own SPF and DKIM records, separate from your primary domain.
Deliverability impact: Correctly configuring these records is essential for preventing your emails from being marked as spam or rejected, thereby improving overall email deliverability.
DNS host management: The exact steps for adding these TXT records will depend on your DNS hosting provider (e.g., GoDaddy, Cloudflare, etc.).
Email marketers frequently encounter questions regarding where to precisely place SPF, DKIM, and DMARC records, especially when working with various third-party email service providers (ESPs) or utilizing dedicated subdomains for campaigns. The consensus among marketing professionals points towards ensuring these records are correctly configured on the specific domain or subdomain from which emails are dispatched, aligning with best practices for email deliverability.
Key opinions
Vendor management: Some ESPs manage the sender and return-path domains, which may reduce the need for marketers to set up authentication records directly on their primary domain.
Organizational responsibility: In large organizations, there can be a lack of clarity regarding who is responsible for managing email authentication settings, potentially leading to misconfigurations.
Subdomain setup: While not ideal, some marketers have observed cases where SPF records are not explicitly set up for mailing subdomains, which can be a point of confusion or oversight.
ESP relationship: Always clarify with your email service provider which aspects of email authentication they manage, and which you are responsible for configuring in your DNS.
Internal accountability: Establish clear internal protocols and responsibilities for managing DNS records related to email authentication to prevent oversight.
Comprehensive subdomain coverage: Ensure that every domain or subdomain used for sending emails has its own correctly configured SPF, DKIM, and DMARC records to maintain optimal inbox placement.
Proactive testing: Regularly test your email authentication setup to catch any issues early, preventing deliverability problems.
Marketer view
A marketer from Email Geeks notes that their previous workplace didn't have SPF records for their mailing subdomain. This led them to believe that this configuration was permissible, though it might not always be the optimal setup for deliverability.
24 Jan 2019 - Email Geeks
Marketer view
A marketer from Mailgun's blog emphasizes that strong email authentication protocols like SPF, DKIM, and DMARC are crucial for protecting email from spoofing attempts. They add that proper setup significantly improves overall email deliverability rates.
22 Jun 2023 - Mailgun
What the experts say
Email deliverability experts are unanimous: SPF, DKIM, and DMARC records must be accurately published in the DNS of the domain or subdomain that is actively sending emails. This adherence to proper DNS placement is not merely a technicality; it is a critical foundation for email authentication, directly influencing sender reputation and the successful delivery of messages to the inbox. Without precise configuration, even legitimate emails risk being flagged as spam or outright rejected by receiving mail servers, affecting your email deliverability metrics.
Key opinions
Alignment is paramount: Experts stress that authentication records must align with the Fromdomain to ensure DMARC passes.
Subdomain independence: Any subdomain used for sending mail (e.g., for marketing or transactional emails) requires its own dedicated SPF and DKIM records, distinct from the primary domain.
DMARC at organizational level: While subdomains need their own SPF/DKIM, DMARC is typically set up on the organizational domain, with policies often inherited by or explicitly defined for subdomains.
Avoiding failures: Failing to properly configure these records on sending subdomains can lead to email rejection or misclassification as spam, directly impacting sender reputation.
Key considerations
Regular audits: Periodically audit your DNS records to ensure all authentication entries are accurate, current, and correctly configured, especially after any changes to your sending infrastructure.
Inter-domain interaction: Understand how your primary domain's authentication settings interact with those of any sending subdomains to avoid conflicts or misalignments.
Utilize DMARC reports: Leverage DMARC reports to gain insight into authentication failures, helping to pinpoint and correct misconfigurations on your sending domains.
An expert from Spam Resource advises that both SPF and DKIM records are domain-specific and essential for proper email authentication. They highlight that these records must be accurately published within the DNS zone file of the exact domain from which emails are being sent.
22 Mar 2025 - Spam Resource
Expert view
An expert from Word to the Wise explains that DMARC policies are critical because they provide receiving mail servers with clear instructions. These instructions dictate how to handle email messages that fail either SPF or DKIM alignment checks for the organizational domain, thereby enhancing security.
22 Mar 2025 - Word to the Wise
What the documentation says
Official documentation from various sources, including internet standards bodies (e.g., IETF RFCs) and major email service providers, consistently provides definitive guidelines on the precise placement and structural requirements for SPF, DKIM, and DMARC records. These critical email authentication protocols are almost exclusively implemented as TXT records within the Domain Name System (DNS).
Key findings
SPF record structure: SPF records are published as TXT records in the DNS, located at the domain name they are intended to protect. They list all authorized hosts or IP addresses permitted to send mail on behalf of that domain, referencing RFC 7208 guidelines.
DKIM record structure: DKIM records are also TXT records and contain the public key necessary for verifying email signatures. These records are typically found at a specific hostname, such as selector._domainkey.domain.com, as defined by RFC 6376.
DMARC record structure: A DMARC record is published as a TXT record at the subdomain _dmarc.domain.com. This record defines the policy for handling unauthenticated mail, along with reporting mechanisms, as outlined in RFC 7489.
Domain association: All three record types must be placed in the DNS zone of the domain or subdomain that is serving as the Return-Path domain (for SPF) or the Header From domain (for DKIM and DMARC).
Key considerations
DNS propagation: The DNS TTL (Time To Live) setting on these records dictates how quickly changes propagate across the internet. A lower TTL can facilitate faster updates during initial setup or troubleshooting.
SPF lookup limits: Overly complex SPF records, with too many lookups, can lead to SPF 'PermError' failures, which can negatively impact deliverability.
DMARC alignment requirements: DMARC explicitly mandates domain alignment for both SPF and DKIM authentication to pass, ensuring the visible 'From' domain matches the authenticated identity.
Subdomain configuration: Any subdomain that sends email must have its own, distinct SPF and DKIM DNS entries to properly authenticate mail originating from it.
Technical article
Documentation from RFC 7208, which defines SPF, specifies that SPF records are published as DNS TXT records. These records are placed at the exact domain name they are designed to protect, detailing all authorized hosts that are permitted to send email on that domain's behalf.
22 Mar 2025 - RFC 7208
Technical article
Documentation from RFC 6376, outlining DKIM, states that the DKIM public key is retrieved from a TXT record. This record is specifically located at a hostname constructed with a 'selector' subdomain, such as selector._domainkey.domain.com, within the DNS.