How do I set up SPF and DKIM records for new subdomains when using third-party email services?
Summary
What email marketers say12Marketer opinions
Email marketer from Sendgrid answers that DNS records should be added at the domain/subdomain name servers or hosting provider.
Email marketer from MXToolbox explains that the DKIM record goes into your DNS as a TXT record under a specific selector name provided by your email service. Verify the selector with the email service provider.
Email marketer from Email Geeks explains that SPF is relevant when providers use your domain in the MAIL FROM domain. If they don't, they may not provide an SPF record.
Email marketer from dmarcian answers that SPF is used to authorize sending sources for a domain, preventing spoofing and improving email deliverability.
Email marketer from Email on Acid shares that setting up SPF and DKIM records involves obtaining the correct values from your email service provider and then adding them as DNS records for your domain. Specifically, SPF records are added as TXT records, while DKIM often involves TXT or CNAME records.
Email marketer from Stackoverflow responds that when using a third-party email service, ensure they provide the necessary DKIM key. You will add this as a TXT record to your subdomain's DNS settings. After adding the DKIM record, use the validation tools from your provider to confirm it's correctly set up.
Email marketer from Reddit advises that the third-party email service should provide you with the DKIM record that you need to add to your DNS. They emphasize that you shouldn't try to generate it yourself.
Email marketer from Email Geeks confirms that providers should supply SPF and DKIM records. She explains that after obtaining the records, you add them to your web host and then validate them within the service.
Email marketer from AuthSMTP responds that you should generate a new DKIM record for the subdomain and publish it to the subdomain's DNS zone rather than the parent domain.
Email marketer from DigitalOcean community shares that, to include multiple third-party services in your SPF record, use the 'include:' mechanism for each service. Ensure that your record does not exceed the 10 DNS lookup limit.
Email marketer from Email Geeks explains that providers might be signing emails with their own DKIM key and recommends asking if using your own DKIM is necessary, especially with shared infrastructure.
Email marketer from EmailGeekForum explains that when using multiple email services, update your SPF record to include all authorized senders. Use the 'include:' mechanism for each provider (e.g., 'include:mailgun.org include:sendgrid.net'). Consolidate these into a single SPF record to avoid exceeding the DNS lookup limit.
What the experts say6Expert opinions
Expert from Spam Resource, John Levine, explains that SPF has a 10 DNS lookup limit. When setting up SPF records, especially with multiple third-party senders, it's important to ensure your SPF record doesn't exceed this limit. Using too many includes can break SPF.
Expert from Email Geeks mentions DKIM setup is similar to SPF, but may involve a CNAME record.
Expert from Email Geeks shares an example of what an SPF record might look like, recommending to include the ESP's SPF record in the sending domain's TXT record.
Expert from Word to the Wise, Steve Jones, answers that the SPF or DKIM needs to align with the domain mentioned in the 'From' header field for DMARC validation. This alignment is essential for passing DMARC checks, especially when using subdomains for sending.
Expert from Email Geeks shares that many providers sign with their own domains initially and highlights the importance of setting up your own authentication when possible, as almost all ESP mail is authenticated with SPF and DKIM by default.
Expert from Word to the Wise, Laura Atkins, answers that it's best practice to generate a new DKIM key for each subdomain. You should avoid reusing the same DKIM key across multiple subdomains, especially if these subdomains are used for distinctly different purposes or by different third-party services. Doing so can lead to issues with sender reputation and authentication.
What the documentation says5Technical articles
Documentation from RFC 7208 shares that SPF records should conform to the defined syntax that include version, mechanisms and qualifiers. It details each mechanism for specifying authorized IPs and domains, as well as the recommended usage.
Documentation from Mailchimp explains that SPF records should be created as TXT records in your domain's DNS settings. The record must start with 'v=spf1' and include mechanisms to specify which mail servers are authorized to send emails for your domain. Common mechanisms are 'include:' for third-party services and 'ip4:' or 'ip6:' for specific IP addresses. Terminate the record with a qualifier like '-all' to indicate a hard fail for unauthorized sources.
Documentation from Microsoft says that for outbound email, you need to create an SPF TXT record in DNS at the domain level. This record lists all authorized sources of email for your domain. Use the 'include:' mechanism to reference third-party email services.
Documentation from Cloudflare explains that to add SPF and DKIM records, you must create TXT records within your DNS settings. The SPF record specifies which mail servers are allowed to send emails on behalf of your domain, and the DKIM record contains a public key that receiving servers use to verify that incoming emails were indeed sent by your domain and haven't been tampered with.
Documentation from Google Workspace Admin Help explains that setting up an SPF record involves creating a TXT record in your DNS settings that authorizes specific mail servers to send emails on behalf of your domain. The record should include the 'v=spf1' version tag, followed by mechanisms (e.g., 'include:', 'a', 'mx', 'ip4:', 'ip6:') that define authorized sending sources, and terminated with a qualifier (e.g., '-all', '~all', '+all') to specify how to handle emails from unauthorized sources.