How do I set up SPF and DKIM records for new subdomains when using third-party email services?

Summary

Setting up SPF and DKIM for new subdomains with third-party email services involves several key steps. First, obtain the SPF and DKIM records from your email service provider, as they should not be self-generated. These records are added as DNS records, typically TXT, to your subdomain's DNS settings. SPF records authorize specific mail servers to send emails on behalf of your domain and should include the 'v=spf1' version tag, mechanisms such as 'include:' for third-party services, and a qualifier like '-all'. DKIM records contain a public key for verifying email authenticity, and the DKIM record name needs to match the selector provided. For SPF, be mindful of the 10 DNS lookup limit and consolidate records. It’s also essential to use a unique DKIM key for each subdomain and align SPF/DKIM with the domain in the 'From' header for DMARC validation. Furthermore, verify the setup using the provider's validation tools.

Key findings

  • Obtain Records from Provider: SPF and DKIM records should be obtained directly from the third-party email service provider.
  • DNS Record Type and Location: SPF and DKIM records are typically added as TXT records to the subdomain's DNS settings; DKIM may use CNAME.
  • SPF Record Structure: SPF records include 'v=spf1', authorized sending mechanisms (e.g., 'include:'), and a qualifier (e.g., '-all').
  • DKIM Record Function: DKIM records verify email authenticity with a public key.
  • SPF Record Importance: SPF authorizes specific mail servers to send emails on behalf of your domain.
  • DKIM Key Generation: You should generate a new DKIM key for each subdomain.
  • DMARC Alignment Necessity: SPF and DKIM records need to align with the domain in the 'From' header for DMARC validation when sending emails.

Key considerations

  • SPF DNS Lookup Limit: Be mindful of the SPF 10 DNS lookup limit, especially when using multiple includes.
  • Validation Procedures: Verify the setup of SPF and DKIM records using the tools provided by the email service.
  • Provider Signing: Many providers initially sign emails using their own domains, make sure you setup your own authentication.

What email marketers say
12Marketer opinions

When configuring SPF and DKIM for new subdomains with third-party email services, it's crucial to obtain the necessary records directly from the service providers. These records are then added as DNS records (typically TXT records, but DKIM may use CNAME) to the subdomain's DNS zone, not necessarily the parent domain. Ensure SPF records include all authorized senders using the 'include:' mechanism, but be mindful of the 10 DNS lookup limit. SPF's relevance depends on whether the provider uses your domain in the MAIL FROM domain; if not, an SPF record may not be provided. DKIM keys might be shared by the provider, so inquire about using your own. Always validate the setup using tools from the provider. SPF serves to authorize sending sources, preventing spoofing, and DKIM records require a selector name. It is also key to ensure DMARC alignment of the SPF/DKIM when sending using subdomains.

Key opinions

  • Provider Records: Third-party email services should supply the necessary SPF and DKIM records.
  • DNS Record Type: SPF records are generally added as TXT records, while DKIM may use TXT or CNAME records.
  • SPF Relevance: SPF is only relevant if the provider uses your domain in the MAIL FROM domain.
  • DKIM Key Ownership: Inquire about using your own DKIM key instead of a shared key from the provider.
  • Validation: Always validate the SPF and DKIM setup using the provider's tools.
  • SPF Purpose: SPF authorizes sending sources to prevent spoofing.
  • DKIM Selector: The DKIM record requires a specific selector name from the email service provider.

Key considerations

  • DNS Lookup Limit: Ensure your SPF record does not exceed the 10 DNS lookup limit when including multiple services.
  • Subdomain vs Domain: Publish the DKIM record to the subdomain's DNS zone, not the parent domain.
  • DMARC Alignment: SPF and DKIM records need to align with the domain in the 'From' header for DMARC validation
Marketer view

Email marketer from Sendgrid answers that DNS records should be added at the domain/subdomain name servers or hosting provider.

July 2022 - Sendgrid
Marketer view

Email marketer from MXToolbox explains that the DKIM record goes into your DNS as a TXT record under a specific selector name provided by your email service. Verify the selector with the email service provider.

July 2023 - MXToolbox
Marketer view

Email marketer from Email Geeks explains that SPF is relevant when providers use your domain in the MAIL FROM domain. If they don't, they may not provide an SPF record.

June 2021 - Email Geeks
Marketer view

Email marketer from dmarcian answers that SPF is used to authorize sending sources for a domain, preventing spoofing and improving email deliverability.

August 2024 - dmarcian
Marketer view

Email marketer from Email on Acid shares that setting up SPF and DKIM records involves obtaining the correct values from your email service provider and then adding them as DNS records for your domain. Specifically, SPF records are added as TXT records, while DKIM often involves TXT or CNAME records.

September 2023 - Email on Acid
Marketer view

Email marketer from Stackoverflow responds that when using a third-party email service, ensure they provide the necessary DKIM key. You will add this as a TXT record to your subdomain's DNS settings. After adding the DKIM record, use the validation tools from your provider to confirm it's correctly set up.

February 2022 - Stackoverflow
Marketer view

Email marketer from Reddit advises that the third-party email service should provide you with the DKIM record that you need to add to your DNS. They emphasize that you shouldn't try to generate it yourself.

February 2024 - Reddit
Marketer view

Email marketer from Email Geeks confirms that providers should supply SPF and DKIM records. She explains that after obtaining the records, you add them to your web host and then validate them within the service.

June 2023 - Email Geeks
Marketer view

Email marketer from AuthSMTP responds that you should generate a new DKIM record for the subdomain and publish it to the subdomain's DNS zone rather than the parent domain.

June 2022 - AuthSMTP
Marketer view

Email marketer from DigitalOcean community shares that, to include multiple third-party services in your SPF record, use the 'include:' mechanism for each service. Ensure that your record does not exceed the 10 DNS lookup limit.

September 2023 - DigitalOcean
Marketer view

Email marketer from Email Geeks explains that providers might be signing emails with their own DKIM key and recommends asking if using your own DKIM is necessary, especially with shared infrastructure.

May 2024 - Email Geeks
Marketer view

Email marketer from EmailGeekForum explains that when using multiple email services, update your SPF record to include all authorized senders. Use the 'include:' mechanism for each provider (e.g., 'include:mailgun.org include:sendgrid.net'). Consolidate these into a single SPF record to avoid exceeding the DNS lookup limit.

November 2023 - EmailGeekForum

What the experts say
6Expert opinions

Setting up SPF and DKIM for subdomains involves adding the ESP's SPF record to the sending domain's TXT record, while DKIM setup is similar but might use a CNAME record. Many providers sign emails with their domains initially, so setting up your own authentication is important. SPF has a 10 DNS lookup limit. Generate a new DKIM key for each subdomain to avoid reputation issues. SPF or DKIM must align with the domain in the 'From' header for DMARC validation when using subdomains.

Key opinions

  • SPF Example: SPF records include the ESP's SPF record in the sending domain's TXT record.
  • DKIM Record Type: DKIM setup may involve a CNAME record.
  • Authentication Importance: Setting up your own authentication is important, even if providers initially sign emails.
  • DKIM Key Uniqueness: Generate a new DKIM key for each subdomain.
  • DMARC Alignment: SPF/DKIM must align with the domain in the 'From' header for DMARC validation.

Key considerations

  • SPF Lookup Limit: SPF has a 10 DNS lookup limit that can be broken using too many includes.
Expert view

Expert from Spam Resource, John Levine, explains that SPF has a 10 DNS lookup limit. When setting up SPF records, especially with multiple third-party senders, it's important to ensure your SPF record doesn't exceed this limit. Using too many includes can break SPF.

June 2021 - Spam Resource
Expert view

Expert from Email Geeks mentions DKIM setup is similar to SPF, but may involve a CNAME record.

November 2023 - Email Geeks
Expert view

Expert from Email Geeks shares an example of what an SPF record might look like, recommending to include the ESP's SPF record in the sending domain's TXT record.

May 2024 - Email Geeks
Expert view

Expert from Word to the Wise, Steve Jones, answers that the SPF or DKIM needs to align with the domain mentioned in the 'From' header field for DMARC validation. This alignment is essential for passing DMARC checks, especially when using subdomains for sending.

December 2021 - Word to the Wise
Expert view

Expert from Email Geeks shares that many providers sign with their own domains initially and highlights the importance of setting up your own authentication when possible, as almost all ESP mail is authenticated with SPF and DKIM by default.

January 2023 - Email Geeks
Expert view

Expert from Word to the Wise, Laura Atkins, answers that it's best practice to generate a new DKIM key for each subdomain. You should avoid reusing the same DKIM key across multiple subdomains, especially if these subdomains are used for distinctly different purposes or by different third-party services. Doing so can lead to issues with sender reputation and authentication.

August 2022 - Word to the Wise

What the documentation says
5Technical articles

Setting up SPF and DKIM records for new subdomains using third-party email services involves creating TXT records in your DNS settings. The SPF record authorizes specific mail servers to send emails on behalf of your domain and should include the 'v=spf1' version tag, mechanisms to define authorized sources (e.g., 'include:' for third-party services), and a qualifier to handle unauthorized sources (e.g., '-all'). The DKIM record contains a public key for verifying email authenticity. For outbound email, the SPF record should be created at the domain level.

Key findings

  • Record Type: SPF and DKIM records are typically created as TXT records in your DNS settings.
  • SPF Syntax: SPF records should include 'v=spf1', authorized sending mechanisms (e.g., 'include:'), and a qualifier (e.g., '-all').
  • SPF Purpose: SPF authorizes specific mail servers to send emails on behalf of your domain.
  • DKIM Function: DKIM records contain a public key to verify email authenticity and prevent tampering.
  • Include Mechanism: The 'include:' mechanism is used to reference third-party email services in the SPF record.

Key considerations

Technical article

Documentation from RFC 7208 shares that SPF records should conform to the defined syntax that include version, mechanisms and qualifiers. It details each mechanism for specifying authorized IPs and domains, as well as the recommended usage.

July 2024 - RFC Editor
Technical article

Documentation from Mailchimp explains that SPF records should be created as TXT records in your domain's DNS settings. The record must start with 'v=spf1' and include mechanisms to specify which mail servers are authorized to send emails for your domain. Common mechanisms are 'include:' for third-party services and 'ip4:' or 'ip6:' for specific IP addresses. Terminate the record with a qualifier like '-all' to indicate a hard fail for unauthorized sources.

December 2023 - Mailchimp
Technical article

Documentation from Microsoft says that for outbound email, you need to create an SPF TXT record in DNS at the domain level. This record lists all authorized sources of email for your domain. Use the 'include:' mechanism to reference third-party email services.

November 2023 - Microsoft
Technical article

Documentation from Cloudflare explains that to add SPF and DKIM records, you must create TXT records within your DNS settings. The SPF record specifies which mail servers are allowed to send emails on behalf of your domain, and the DKIM record contains a public key that receiving servers use to verify that incoming emails were indeed sent by your domain and haven't been tampered with.

December 2023 - Cloudflare
Technical article

Documentation from Google Workspace Admin Help explains that setting up an SPF record involves creating a TXT record in your DNS settings that authorizes specific mail servers to send emails on behalf of your domain. The record should include the 'v=spf1' version tag, followed by mechanisms (e.g., 'include:', 'a', 'mx', 'ip4:', 'ip6:') that define authorized sending sources, and terminated with a qualifier (e.g., '-all', '~all', '+all') to specify how to handle emails from unauthorized sources.

June 2024 - Google Workspace Admin Help