How to configure SPF when sending from a subdomain with a different 'from' email domain?
Summary
What email marketers say11Marketer opinions
Email marketer from EasyDMARC recommends creating specific SPF records for each subdomain, including the IP addresses of the servers authorized to send email from that subdomain. If the subdomain is only used for sending emails, its SPF record should authorize those specific servers; if it interacts with other domains, additional 'include:' statements may be needed to incorporate their SPF records.
Email marketer from Mailjet suggests that the SPF record for the subdomain should include the IP addresses or domain names of the servers that are sending the email. If the 'from' domain's mail server is different, you can use the 'include:' mechanism in your SPF record to reference the 'from' domain's SPF record.
Email marketer from Reddit shares that if you're sending from a subdomain (e.g., mail.example.com) but the 'from' address is @example.com, the SPF record for mail.example.com needs to include the mail servers authorized to send for example.com. Use 'include:example.com' in the subdomain's SPF record.
Email marketer from SendGrid explains that when sending from a subdomain with a different 'from' email domain, the SPF record for the subdomain must include the servers authorized to send email for the 'from' domain. The recommended approach is to use the 'include:' mechanism in the subdomain's SPF record, referencing the domain's SPF record. This ensures that email providers can verify the email's authenticity and improve deliverability.
Email marketer from Email Geeks shares that problems may arise if a provider takes SPF pass/fail results seriously, or if there are DMARC p=reject settings with strict alignment in place combined with DKIM issues. He suggests debugging using Email headers and DMARC aggregate reports.
Email marketer from StackOverflow suggests that you need to create a separate SPF record for the subdomain specifying which servers are allowed to send email on its behalf. You might need to include the main domain's mail servers in the subdomain's SPF record, or vice versa, depending on your setup.
Email marketer from Email Geeks explains to check for the "aspf=s" tag in your DMARC record, as this forces strict alignment of your Return-Path and From address, which can cause issues with a setup using different subdomains and domains.
Email marketer from EmailGeeks Forum explains that the SPF record should allow sending on behalf of both the subdomain and the 'from' domain. He suggests that it's important to ensure SPF alignment is properly configured to prevent deliverability issues and that the envelope from address (used for SPF checks) is correctly set.
Email marketer from SparkPost shares that if the 'from' address uses a different domain than the sending subdomain, you'll need to ensure your SPF record for the sending subdomain includes the servers authorized to send email for the 'from' address domain. This often involves using the 'include:' mechanism in your SPF record.
Email marketer from AuthSMTP explains that you'll need to ensure your subdomain's SPF record authorizes the mail servers used by the 'from' email's domain. Using the 'include:' mechanism within the subdomain's SPF record, referencing the authorized domain's SPF record will allow for validation.
Email marketer from Postmark states that configuring SPF for subdomains involves explicitly authorizing the servers sending mail from those subdomains. If the 'from' address uses a different domain, ensure the subdomain's SPF record includes the necessary 'include:' statements to authorize those servers. Regular monitoring and updates are essential to maintain email deliverability.
What the experts say4Expert opinions
Expert from Email Geeks explains that SPF is required for each subdomain, while DKIM can use a shared domain or a key for each subdomain. He also mentions that DMARC/BIMI cascade to all subdomains from the organization domain level.
Expert from Word to the Wise suggests that, in addition to configuring the SPF records themselves, ensure SPF alignment within DMARC policies is correct. If your DMARC policy is set to 'strict,' and your subdomain's SPF record doesn't align perfectly with the 'from' domain, you may encounter deliverability issues.
Expert from Email Geeks clarifies that the Envelope From is the SPF domain, so SPF needs to be set up for whatever that is.
Expert from Spam Resource explains that when configuring SPF for a subdomain sending email with a 'from' address on a different domain, the subdomain's SPF record must include the other domain as an authorized sender. This is usually achieved by using the 'include:' mechanism to reference the other domain's SPF record.
What the documentation says4Technical articles
Documentation from Cloudflare explains that an SPF record should be created that explicitly states which IP addresses or hostnames are permitted to send emails on behalf of your domain or subdomain. Properly configuring this record will help prevent spoofing and improve email deliverability.
Documentation from Google Workspace Admin Help explains that when sending email from a subdomain, the SPF record must be set up for that specific subdomain. The SPF record should authorize the mail servers that are allowed to send email on behalf of the subdomain.
Documentation from Microsoft Learn explains that you must create an SPF record for each domain and subdomain you send mail from. This record should explicitly list all authorized sending sources for that (sub)domain, ensuring that mail servers can verify the authenticity of emails originating from the specified domain.
Documentation from DMARC.org explains that SPF, in conjunction with DMARC, requires that the domain in the 'HELO' or 'MAIL FROM' command (the envelope sender) matches the domain in the 'From:' header. If you are using a subdomain, the SPF record for that subdomain must authorize the sending server, and DMARC will verify that this is aligned with the 'From:' domain.