Does a subdomain need its own SPF record if I'm sending from it?

Yes, if a subdomain is used in the Return-Path (Mail From) address for sending emails, it requires its own SPF record to authorize the sending servers. You can learn more about this in our guide: does a subdomain need its own SPF record .

Will using a subdomain for marketing emails affect my main domain's reputation?

While subdomains can inherit some reputation from the parent domain, using them for specific email types (like marketing) can help isolate reputation. If issues arise on the subdomain, the impact on your primary domain's reputation may be lessened. Find out more: how subdomains affect primary domain reputation .

What is DMARC alignment and why is it important for subdomains?

DMARC alignment ensures that the domain authenticated by SPF (Return-Path) or DKIM (d=) is consistent with the "From" header domain. For subdomains, relaxed alignment means the authenticated subdomain is part of the organizational domain shown in the "From" address, which is crucial for DMARC to pass.

How do I check if my SPF and DKIM records are correctly set up on my subdomain?

You can use online tools or examine the email headers of messages sent from your subdomain. Look for the "Authentication-Results" header, which will indicate SPF, DKIM, and DMARC pass/fail status and the authenticated domains.

Will SPF and DKIM on a subdomain but delivering emails through a main domain cause an issue? - Technical - Email deliverability - Knowledge base

Q: Can DKIM be set up on a subdomain?

Yes, DKIM records are typically set up on a subdomain, often via unique selectors, to sign emails originating from that subdomain. The d= tag in the DKIM signature specifies this domain.

When managing email deliverability, questions often arise about the intricate relationship between various email authentication protocols, especially SPF (Sender Policy Framework) and DKIM (DomainKeys Identified Mail), and how they interact with subdomains versus main domains. A common scenario involves configuring SPF and DKIM records on a subdomain (e.g., mg.yourcompany.com) while the emails appear to be sent from your main domain (e.g., yourcompany.com). This setup can lead to confusion about whether it creates a deliverability issue.

The short answer is no, this configuration typically does not cause an issue, and in many cases, it's actually the recommended and ideal setup. The key lies in understanding how email authentication works, particularly DMARC (Domain-based Message Authentication, Reporting & Conformance) alignment, and which domains SPF and DKIM actually authenticate.

Suped DMARC monitoring

Free forever, no credit card required

Learn more

Trusted by teams securing millions of inboxes

How email authentication protocols work

SPF, DKIM, and DMARC are fundamental to email authentication and play a crucial role in preventing spoofing and phishing, ultimately impacting your email deliverability. SPF (Sender Policy Framework) verifies the sending server's IP address against a list of authorized IPs in a DNS TXT record for the domain specified in the email's Return-Path (also known as the Mail From or Envelope From) header. DKIM (DomainKeys Identified Mail) uses cryptographic signatures to ensure that the email content hasn't been tampered with in transit, authenticating the domain indicated in the d= tag of the DKIM signature.

It's important to differentiate between the domains SPF and DKIM authenticate and the "From" address (RFC 5322.From) that recipients see in their email client. The Return-Path domain and the DKIM signing domain (d= domain) are often technical domains, frequently subdomains, which may differ from the human-visible "From" address. This distinction is critical for understanding why SPF and DKIM on a subdomain are not problematic. For more details on the basics, review a simple guide to DMARC, SPF, and DKIM.

Example SPF record for a subdomain

Host: mg.yourcompany.com
Type: TXT
Value: v=spf1 include:mailgun.org ~all

This record tells receiving servers that emails from mg.yourcompany.com are authorized if they originate from Mailgun's servers. This separation of concerns allows for robust authentication mechanisms without requiring the "From" domain to be the one directly authenticated by SPF or DKIM.

The role of DMARC in alignment

DMARC is the protocol that ties SPF and DKIM together and provides instructions to receiving mail servers on how to handle emails that fail authentication. For an email to pass DMARC, at least one of SPF or DKIM must pass, and the authenticated domain must "align" with the "From" domain. Alignment means that the domain authenticated by SPF (Return-Path domain) or DKIM (d= domain) must either be identical to the "From" domain (strict alignment) or be a subdomain of the "From" domain (relaxed alignment).

When your SPF and DKIM records are set up on a subdomain (e.g., mg.yourcompany.com) but the email's "From" address uses your main domain (e.g., yourcompany.com), DMARC alignment is typically achieved through relaxed alignment. This is because mg.yourcompany.com is a subdomain of yourcompany.com, satisfying the DMARC requirement. This setup is common for email service providers (ESPs) who often use subdomains for sending infrastructure. For instance, SPF authenticates the Mail From domain, while DKIM authenticates the d= domain, as explained by Twilio's SendGrid.

Header Field	Example Value	Authenticated By
From:	sender@yourcompany.com	DMARC
Return-Path:	bounce-mg@mg.yourcompany.com	SPF
DKIM-Signature d=	mg.yourcompany.com	DKIM

As long as the Return-Path (SPF) domain or the DKIM d= domain is either identical to or a subdomain of the From domain, DMARC will pass, ensuring good deliverability. This is why having SPF and DKIM on a subdomain is generally not an issue when delivering emails through the main domain.

Common scenarios and best practices

Many organizations intentionally use subdomains for different types of email traffic, such as transactional, marketing, or bulk emails. This strategy helps isolate the reputation of different sending streams. For example, if your marketing emails sent from marketing.yourcompany.com encounter issues, it's less likely to immediately impact the deliverability of your critical transactional emails sent from transactional.yourcompany.com or your primary domain.

Consider these key points when configuring your setup:

One SPF record per domain/subdomain: Each domain or subdomain that sends email should have its own SPF record. You cannot have multiple SPF records for a single host. Learn more about SPF record configuration from Microsoft.
Unique DKIM selectors: DKIM records use selectors, which are essentially sub-subdomains (e.g., s1._domainkey.yourcompany.com). This allows you to have multiple DKIM keys for a single domain or subdomain, typically one per sending service.
DMARC for the organizational domain: Your DMARC record should ideally be set at the organizational domain level (yourcompany.com), and its policies will apply to all subdomains unless overridden by a specific sp tag for subdomains.

Important note on DMARC and reputation

A correctly configured DMARC policy, alongside aligned SPF and DKIM records, is crucial for your email's authenticity and deliverability. It signals to receiving servers that your emails are legitimate, which can significantly boost your how subdomain issues affect parent domain reputation. DMARC failures, often caused by misconfigurations, can lead to your emails being rejected or sent to spam.

Avoiding potential pitfalls

While SPF and DKIM on a subdomain for main domain delivery is generally fine, misconfigurations can certainly lead to issues. One common pitfall is incorrect DMARC alignment. If the authenticated domains (Return-Path for SPF or d= for DKIM) are not within the same organizational domain as your "From" address, your emails will fail DMARC. This is a common cause of deliverability problems, as highlighted by eSecurityPlanet's insights into DMARC failures.

Another potential issue arises if you have multiple SPF records for the same domain or subdomain, which is explicitly prohibited by the SPF specification and can lead to a PermError. Similarly, neglecting to set up SPF for a subdomain that *is* used for sending can lead to SPF failures. Monitoring your DMARC reports is essential to catch these issues early.

Correct configuration

SPF on subdomain: The SPF record is published for mg.yourcompany.com, authorizing the sending IP.
DKIM on subdomain: The DKIM record is published for mg.yourcompany.com (via a selector), signing emails with this domain.
From header: The email sender is info@yourcompany.com.
DMARC Alignment: Both SPF and DKIM domains (mg.yourcompany.com) are subdomains of yourcompany.com, resulting in DMARC pass via relaxed alignment.
Outcome: High deliverability, strong sender reputation.

Incorrect configuration

SPF missing on subdomain: Emails sent from mg.yourcompany.com lack an SPF record, causing SPF failures.
DKIM misalignment: DKIM d= domain (e.g., anotherdomain.com) does not align with the From domain (yourcompany.com).
Multiple SPF records: Having two or more SPF records for yourcompany.com results in a PermError.
DMARC Policy: A strict DMARC policy (p=reject) is in place without proper SPF/DKIM alignment.
Outcome: Emails rejected, sent to spam, or quarantined.

Regularly checking your email authentication setup and monitoring your DMARC reports are paramount to maintaining good deliverability. If you're encountering issues, debugging involves examining your email headers to understand which domains are being authenticated by SPF and DKIM and how they align with your "From" domain.

Views from the trenches

Best practices

Use subdomains for different email types, such as marketing or transactional, to manage reputation separately.

Ensure SPF and DKIM records are published for all domains and subdomains that send email.

Implement DMARC at the organizational domain level to enforce authentication and receive reports.

Common pitfalls

Having multiple SPF records on a single domain or subdomain, which causes a PermError.

Not ensuring DMARC alignment between the From header domain and the authenticated SPF/DKIM domains.

Overlooking the Return-Path (Mail From) domain when troubleshooting SPF authentication issues.

Expert tips

Monitor your DMARC reports closely to detect authentication failures and identify potential issues early.

Understand that SPF and DKIM do not authenticate the From header directly, but rather the Return-Path and d= domain respectively.

Utilize relaxed DMARC alignment (e.g., mg.yourcompany.com aligning with yourcompany.com) as it is a common and effective setup.

Expert view

Expert from Email Geeks says: SPF authenticates against the Return-Path, which is often a subdomain, so its record should be on that subdomain.

Oct 25, 2021 - Email Geeks

Expert view

Expert from Email Geeks says: The DKIM d= domain is typically the sending subdomain.

Oct 25, 2021 - Email Geeks

No cause for concern

In summary, having SPF and DKIM configured on a subdomain while delivering emails with a main domain is not inherently an issue. In fact, it's a common and effective strategy, especially when using third-party email service providers. The critical factor is DMARC alignment, which ensures that the authenticated domains (Return-Path for SPF and d= for DKIM) are properly related to the visible "From" domain.

When configured correctly, this setup enhances your email security, improves deliverability, and helps maintain a positive sender reputation. Always ensure your DNS records are accurate and monitor your DMARC reports regularly to catch any potential misconfigurations that could impact your inbox placement.