How to configure SPF when sending from a subdomain with a different 'from' email domain?

Summary

Configuring SPF for subdomains with a different 'from' domain requires a multi-faceted approach. Each subdomain needs its own SPF record that explicitly authorizes mail servers sending on its behalf. The 'include:' mechanism is crucial for referencing the 'from' domain's SPF record and authorizing its servers. Ensuring proper SPF alignment with DMARC policies is essential, especially under strict DMARC settings. The Envelope From address, used for SPF checks, must also be correctly set. Regular monitoring, updates, and validation of SPF records are key to maintaining optimal email deliverability and preventing spoofing.

Key findings

  • SPF Required per Subdomain: An SPF record is required for each subdomain.
  • Importance of 'include:': The 'include:' mechanism is vital for authorizing the 'from' domain's mail servers within the subdomain's SPF record.
  • DMARC Alignment is Critical: Proper SPF alignment with DMARC policies is crucial for email deliverability.
  • Envelope From Matters: The Envelope From address plays a key role in SPF checks.

Key considerations

  • DMARC Enforcement: Be aware of DMARC policies, particularly strict settings (p=reject), and their impact on email delivery based on SPF alignment.
  • SPF Syntax: Ensure SPF record syntax is correct to prevent errors.
  • SPF Testing: Test SPF configuration to validate setup and detect deliverability problems.
  • Regular Maintenance: Regularly monitor and update SPF records to reflect changes in sending sources or domains.

What email marketers say
11Marketer opinions

When sending emails from a subdomain with a 'from' address using a different domain, configuring SPF involves creating an SPF record for the subdomain that authorizes the servers used by the 'from' domain. This is commonly achieved using the 'include:' mechanism in the subdomain's SPF record, which references the 'from' domain's SPF record. It's important to also ensure SPF alignment is properly configured, particularly within DMARC settings, to avoid deliverability issues. Monitoring and updating SPF records is essential for maintaining optimal email deliverability.

Key opinions

  • SPF Record Required: Each subdomain must have its own SPF record.
  • Include Mechanism: Use the 'include:' mechanism in the subdomain's SPF record to authorize the 'from' domain's mail servers.
  • DMARC Alignment: Ensure SPF alignment is configured correctly within DMARC policies to prevent deliverability issues, particularly with strict DMARC policies.
  • Dedicated SPF: Create specific SPF records for each subdomain, including the IP addresses of authorized servers.

Key considerations

  • SPF Syntax: Ensure proper SPF syntax to avoid errors. Use tools to validate your SPF records.
  • DMARC Settings: Review DMARC settings to ensure they align with your SPF configuration, particularly 'aspf=s' which enforces strict alignment.
  • Monitoring: Regularly monitor SPF records and DMARC reports to identify and address any deliverability issues.
  • Authorization: Confirm mail servers are properly authorized to prevent deliverability issues.
Marketer view

Email marketer from EasyDMARC recommends creating specific SPF records for each subdomain, including the IP addresses of the servers authorized to send email from that subdomain. If the subdomain is only used for sending emails, its SPF record should authorize those specific servers; if it interacts with other domains, additional 'include:' statements may be needed to incorporate their SPF records.

April 2021 - EasyDMARC
Marketer view

Email marketer from Mailjet suggests that the SPF record for the subdomain should include the IP addresses or domain names of the servers that are sending the email. If the 'from' domain's mail server is different, you can use the 'include:' mechanism in your SPF record to reference the 'from' domain's SPF record.

September 2023 - Mailjet
Marketer view

Email marketer from Reddit shares that if you're sending from a subdomain (e.g., mail.example.com) but the 'from' address is @example.com, the SPF record for mail.example.com needs to include the mail servers authorized to send for example.com. Use 'include:example.com' in the subdomain's SPF record.

December 2022 - Reddit
Marketer view

Email marketer from SendGrid explains that when sending from a subdomain with a different 'from' email domain, the SPF record for the subdomain must include the servers authorized to send email for the 'from' domain. The recommended approach is to use the 'include:' mechanism in the subdomain's SPF record, referencing the domain's SPF record. This ensures that email providers can verify the email's authenticity and improve deliverability.

January 2022 - SendGrid
Marketer view

Email marketer from Email Geeks shares that problems may arise if a provider takes SPF pass/fail results seriously, or if there are DMARC p=reject settings with strict alignment in place combined with DKIM issues. He suggests debugging using Email headers and DMARC aggregate reports.

May 2023 - Email Geeks
Marketer view

Email marketer from StackOverflow suggests that you need to create a separate SPF record for the subdomain specifying which servers are allowed to send email on its behalf. You might need to include the main domain's mail servers in the subdomain's SPF record, or vice versa, depending on your setup.

May 2021 - StackOverflow
Marketer view

Email marketer from Email Geeks explains to check for the "aspf=s" tag in your DMARC record, as this forces strict alignment of your Return-Path and From address, which can cause issues with a setup using different subdomains and domains.

April 2021 - Email Geeks
Marketer view

Email marketer from EmailGeeks Forum explains that the SPF record should allow sending on behalf of both the subdomain and the 'from' domain. He suggests that it's important to ensure SPF alignment is properly configured to prevent deliverability issues and that the envelope from address (used for SPF checks) is correctly set.

April 2022 - EmailGeeks Forum
Marketer view

Email marketer from SparkPost shares that if the 'from' address uses a different domain than the sending subdomain, you'll need to ensure your SPF record for the sending subdomain includes the servers authorized to send email for the 'from' address domain. This often involves using the 'include:' mechanism in your SPF record.

August 2021 - SparkPost
Marketer view

Email marketer from AuthSMTP explains that you'll need to ensure your subdomain's SPF record authorizes the mail servers used by the 'from' email's domain. Using the 'include:' mechanism within the subdomain's SPF record, referencing the authorized domain's SPF record will allow for validation.

October 2024 - AuthSMTP
Marketer view

Email marketer from Postmark states that configuring SPF for subdomains involves explicitly authorizing the servers sending mail from those subdomains. If the 'from' address uses a different domain, ensure the subdomain's SPF record includes the necessary 'include:' statements to authorize those servers. Regular monitoring and updates are essential to maintain email deliverability.

May 2022 - Postmark

What the experts say
4Expert opinions

Configuring SPF for subdomains when the 'from' address uses a different domain requires specific attention to SPF records and DMARC alignment. An SPF record is necessary for each subdomain, and it should authorize the 'from' domain's mail servers, typically using the 'include:' mechanism. The Envelope From address is the SPF domain. Additionally, ensuring correct SPF alignment within DMARC policies, especially with strict policies, is crucial for preventing deliverability problems.

Key opinions

  • SPF Required per Subdomain: SPF is required for each subdomain.
  • Envelope From Importance: The Envelope From address dictates the SPF domain, making correct SPF setup essential.
  • Include Mechanism for Authorization: Utilizing the 'include:' mechanism in the subdomain's SPF record authorizes the 'from' domain's mail servers.
  • DMARC Alignment Critical: Proper SPF alignment within DMARC policies is crucial for avoiding deliverability issues.

Key considerations

  • DKIM Configuration: While SPF is required per subdomain, DKIM can be configured with either a shared domain or a key for each subdomain.
  • DMARC Policy: The DMARC policy, especially if set to strict (p=reject), significantly impacts deliverability based on SPF alignment.
  • Subdomain Scope: DMARC/BIMI cascade to all subdomains from the organization domain level
  • SPF Record Updates: Regularly review and update SPF records to reflect any changes in sending sources or domains.
Expert view

Expert from Email Geeks explains that SPF is required for each subdomain, while DKIM can use a shared domain or a key for each subdomain. He also mentions that DMARC/BIMI cascade to all subdomains from the organization domain level.

August 2022 - Email Geeks
Expert view

Expert from Word to the Wise suggests that, in addition to configuring the SPF records themselves, ensure SPF alignment within DMARC policies is correct. If your DMARC policy is set to 'strict,' and your subdomain's SPF record doesn't align perfectly with the 'from' domain, you may encounter deliverability issues.

March 2023 - Word to the Wise
Expert view

Expert from Email Geeks clarifies that the Envelope From is the SPF domain, so SPF needs to be set up for whatever that is.

January 2023 - Email Geeks
Expert view

Expert from Spam Resource explains that when configuring SPF for a subdomain sending email with a 'from' address on a different domain, the subdomain's SPF record must include the other domain as an authorized sender. This is usually achieved by using the 'include:' mechanism to reference the other domain's SPF record.

June 2024 - Spam Resource

What the documentation says
4Technical articles

When sending email from a subdomain, each subdomain requires its own SPF record. This SPF record must explicitly authorize all mail servers permitted to send emails on behalf of the subdomain. Properly configuring these records is crucial for preventing spoofing, improving email deliverability, and ensuring alignment with DMARC policies, which require consistency between the 'HELO' or 'MAIL FROM' domain and the 'From:' header.

Key findings

  • SPF Per Subdomain: Each subdomain needs its own SPF record.
  • Explicit Authorization: The SPF record must explicitly list authorized mail servers.
  • Spoofing Prevention: Proper SPF configuration prevents email spoofing.
  • DMARC Alignment: SPF must align with DMARC policies, verifying domain consistency.

Key considerations

  • Record Accuracy: Ensure SPF records accurately reflect all authorized sending sources.
  • Regular Updates: Regularly update SPF records to accommodate changes in mail server configurations.
  • Syntax Validation: Validate SPF record syntax to prevent errors that could impact deliverability.
  • Impact of DMARC: Understand how DMARC policies affect SPF validation and overall email authentication.
Technical article

Documentation from Cloudflare explains that an SPF record should be created that explicitly states which IP addresses or hostnames are permitted to send emails on behalf of your domain or subdomain. Properly configuring this record will help prevent spoofing and improve email deliverability.

August 2023 - Cloudflare
Technical article

Documentation from Google Workspace Admin Help explains that when sending email from a subdomain, the SPF record must be set up for that specific subdomain. The SPF record should authorize the mail servers that are allowed to send email on behalf of the subdomain.

August 2021 - Google Workspace Admin Help
Technical article

Documentation from Microsoft Learn explains that you must create an SPF record for each domain and subdomain you send mail from. This record should explicitly list all authorized sending sources for that (sub)domain, ensuring that mail servers can verify the authenticity of emails originating from the specified domain.

January 2023 - Microsoft Learn
Technical article

Documentation from DMARC.org explains that SPF, in conjunction with DMARC, requires that the domain in the 'HELO' or 'MAIL FROM' command (the envelope sender) matches the domain in the 'From:' header. If you are using a subdomain, the SPF record for that subdomain must authorize the sending server, and DMARC will verify that this is aligned with the 'From:' domain.

January 2022 - DMARC.org