Will SPF and DKIM on a subdomain but delivering emails through a main domain cause an issue?

Key findings

• Authentication points: SPF authenticates the Return-Path domain, while DKIM authenticates the domain specified in its d= tag.
• From header domain: Neither SPF nor DKIM directly authenticate the From header domain itself.
• Alignment importance: For DMARC to pass, the SPF-authenticated domain and the DKIM-signed domain must align with the organizational domain of the From header. This is the ideal setup.
• Subdomain reputation: Using a subdomain for sending can help protect the reputation of your main domain, as reputation issues are often contained.
• SPF policy inheritance: Subdomains should not inherit the SPF policy of the main domain, as this can negatively impact authorized email sources not linked with the subdomain.

Key considerations

• DMARC policy: Ensure your DMARC record includes a subdomain policy (sp tag) to specify how to handle emails from subdomains.
• Explicit SPF: If using a subdomain for sending, it needs its own SPF record that explicitly authorizes the sending server.
• DKIM setup: DKIM should be set up on the subdomain with the d=tag matching the organizational domain of the From header, even if it's the main domain.
• Monitoring: Regularly monitor DMARC reports to ensure SPF and DKIM are passing authentication and alignment checks for both your main domain and subdomains.

Key opinions

• Header confusion: Marketers can find it confusing when the email is received from the main domain but the header shows subdomain authentication.
• Subdomain protection: Sending emails from a subdomain specifically for that purpose can help protect the reputation of the main domain from potential spam issues.
• Reputation inheritance: Subdomains, especially new ones, will inherit some of the reputation of the parent domain, meaning a bad reputation on the main domain can affect subdomains.
• Server mismatch: A server mismatch between the subdomain's authentication and the main domain's From address isn't an issue as long as SPF explicitly authorizes the sending service for the subdomain.
• No inherited SPF: Subdomains do not automatically inherit the main domain's SPF record; they require their own.

Key considerations

• Header visibility: Marketers should review email headers to understand which domain is actually being authenticated for SPF and DKIM, particularly the Return-Path.
• DMARC alignment for subdomains: Ensure your DMARC record's sp tag is correctly configured to manage subdomain email policies.
• Dedicated subdomains: Consider setting up dedicated subdomains for different types of email (e.g., marketing vs. transactional) to isolate reputation.
• Consistent configuration: Maintain clear and consistent SPF and DKIM configurations for all sending subdomains to avoid confusion and ensure proper authentication.

Key opinions

• Return-path authentication: SPF primarily authenticates the Return-Path (envelope-from) domain, which is often a subdomain set by the email service provider.
• DKIM d= tag: The DKIM d=tag specifies the signing domain, which should ideally align with the organizational domain of the From header.
• From header vs. authentication: It's common and acceptable for the domains authenticated by SPF and DKIM to differ from the visible From header, as long as DMARC alignment is achieved.
• Ideal alignment: The ideal scenario is when the SPF-authenticated domain and the DKIM-signed domain are within the same organizational domain as the From header, ensuring DMARC passes.
• No issues: This setup, when correctly configured for DMARC alignment, is not only acceptable but often considered the best practice for robust email authentication.

Key considerations

• DMARC policy for subdomains: Experts recommend configuring a DMARC record that specifically addresses subdomain policy using the sp tag, even if the subdomain doesn't actively send emails.
• Authentication check: Always inspect email headers to verify that SPF and DKIM are authenticating the expected domains and that DMARC is passing alignment.
• Dedicated sending subdomains: Utilizing specific subdomains for email sending can help isolate reputation issues from the main brand.
• Multiple SPF records: Avoid creating multiple SPF records on a single domain, as this can cause rejections; merge them into one if necessary.

Key findings

• Separate SPF records: Subdomains do not inherit the SPF record of the main domain; each subdomain used for sending requires its own SPF record.
• DMARC goal: The primary goal of DMARC is to ensure that the domain in the From address aligns with the domain authenticated by SPF or DKIM.
• One SPF record: The SPF specification requires that a domain have only one SPF record. Multiple SPF records can cause validation issues and email rejections.
• Subdomain policy (sp): The DMARC sp tag allows domain owners to define specific DMARC policies for their subdomains.
• Flexibility in DMARC: DMARC alignment allows for SPF or DKIM authentication on a subdomain to pass, as long as the subdomain is part of the same organizational domain as the From header.

Key considerations

• Explicit authorization: Any external service sending emails on behalf of a subdomain must be explicitly authorized in that subdomain's SPF record.
• DMARC policy strength: Bulk senders should implement DMARC with a minimum policy of p=noneto monitor alignment before enforcing stricter policies.
• Domain reputation separation: While subdomains inherit some reputation, using them specifically for sending can help contain reputation issues from affecting the main domain.
• Configuration for all domains: It is important to ensure proper SPF and DKIM configurations for all subdomains, even those not directly used for email, especially if a DMARC record is applied to the organizational domain.