Should I add SPF records to both sender domain and envelope domain?

Summary

The overall consensus is that while SPF is a critical component for email authentication and deliverability, adding SPF records to both sender and envelope domains isn't always necessary. The key focus should be on SPF alignment, ensuring the domain in the 'header from' address matches the domain authorized by SPF. SPF authenticates the MAIL FROM identity, including the envelope sender. Experts recommend having separate SPF records for different subdomains used for sending emails to manage sending reputations effectively. They also emphasize the importance of properly configuring SPF records to prevent domain forging and improve email deliverability, enabling recipient servers to verify the authenticity of incoming emails. Caution should be taken regarding the number of DNS lookups, and SPF records should cover all sending domains.

Key findings

  • SPF Alignment is Key: Achieving SPF alignment (matching 'header from' and authorized SPF domains) is crucial for passing DMARC and ensuring email deliverability.
  • Separate SPF Records for Subdomains: Using individual SPF records for different subdomains is recommended for efficient management of sending reputations.
  • Configuration Prevents Forging: Properly configured SPF records prevent domain forging and improve email deliverability by allowing recipient servers to verify authenticity.
  • SPF Record Required: If setting up a new email sending domain then SPF record is essential to allow for proper delivery and avoid spoofing.
  • MAIL FROM identity: SPF authenticates the MAIL FROM identity

Key considerations

  • Focus on 'header from': The SPF record should primarily focus on aligning with the 'header from' address rather than solely the envelope domain.
  • Verify All (Sub)Domains: It is crucial to verify all domains and subdomains used for sending email to confirm the correctness of SPF records.
  • Beware DNS Lookup Limit: Be mindful of the number of DNS lookups in SPF records to prevent SPF failures.
  • Ensure DMARC Compliance: SPF is vital for DMARC compliance, which affects how recipient servers handle emails that fail authentication.
  • Microsoft 365: Pay special attention to SPF configuration when using Microsoft 365 to avoid deliverability issues.

What email marketers say
12Marketer opinions

The consensus is that while SPF records are crucial for email authentication and deliverability, adding them to both sender and envelope domains isn't always necessary or recommended. The focus should be on ensuring SPF alignment, which means that the domain in the 'header from' address matches the domain authorized by SPF. For different subdomains used for sending emails, having separate SPF records is considered a good practice for managing sending reputations. It's also important to monitor the number of DNS lookups to prevent SPF failures. Properly configured SPF records help prevent spammers from forging your domain and improve email deliverability, as they allow recipient mail servers to verify that messages genuinely originate from your domain.

Key opinions

  • SPF Alignment is Key: SPF alignment (matching 'header from' and authorized SPF domains) is crucial for passing DMARC and ensuring email deliverability.
  • Separate SPF Records for Subdomains: Having individual SPF records for different subdomains used for sending email is a good practice for managing sending reputations.
  • Importance of SPF Configuration: Properly configured SPF records prevent domain forging and improve email deliverability by allowing recipient servers to verify the sender's authenticity.
  • Limit DNS Lookups: Be cautious of the number of DNS lookups in SPF records; exceeding the limit can cause SPF to fail.

Key considerations

  • Envelope vs. Header From: Focus on aligning the SPF record with the 'header from' address rather than solely the envelope domain.
  • Monitor Subdomains: Regularly verify all domains and subdomains used for sending email to ensure SPF records are properly configured.
  • Third-Party Services: If using third-party email services, ensure SPF records cover the subdomains they use for sending.
  • DMARC Impact: Understand that SPF, along with DKIM, impacts DMARC compliance, which affects how recipient servers handle emails that fail authentication checks.
Marketer view

Email marketer from DNS records emphasizes the need to verify all domains and subdomains, especially subdomains, to ensure accurate SPF implementation. Neglecting this can cause issues with email authentication and deliverability.

March 2022 - DNS records
Marketer view

Email marketer from Email Geeks says for the 'best of both worlds', ensure the domains in both (5322 and envelope) match exactly to have SPF covered in both.

June 2023 - Email Geeks
Marketer view

Email marketer from Email Geeks advises against cluttering the 5322 domain with needless DNS entries for SPF, as that's not where SPF is checked.

June 2023 - Email Geeks
Marketer view

Email marketer from Word to the Wise clarifies that you should be most concerned with SPF alignment, which means matching the domain in the 'header from' address with the domain authorized by SPF. This alignment is crucial for passing DMARC.

November 2023 - Word to the Wise
Marketer view

Email marketer from URIports explains the importance of SPF records for subdomains. They advise implementing SPF records for all subdomains that send email to ensure proper authentication and improve email deliverability.

November 2023 - URIports
Marketer view

Email marketer from EasyDMARC advises that having separate SPF records for different subdomains used for sending emails is a good practice. This helps in managing and isolating sending reputations. However, they also mention that you should not have multiple SPF records for the same domain.

September 2024 - EasyDMARC
Marketer view

Email marketer from AuthSMTP states that it's a best practice to have SPF records for any domain that sends email. This includes the main domain and any subdomains, especially those used by third-party email services.

July 2024 - AuthSMTP
Marketer view

Email marketer from Google Groups indicates that if you're sending emails from multiple domains or subdomains, each should have its own SPF record. They also advise being careful with the number of DNS lookups allowed by SPF, as exceeding the limit can cause SPF to fail.

November 2024 - Google Groups
Marketer view

Email marketer from StackOverflow responds, stating that adding the sending domain's SPF record is the correct method to cover all mail servers. In contrast, adding an SPF record to the envelope domain (Return-Path/ MAIL FROM) is unnecessary because it doesn't affect message delivery, and only the mail server administrator can do it.

December 2023 - StackOverflow
Marketer view

Email marketer from Mailjet shares that SPF helps your recipients’ mail servers check to see if a message purporting to come from your domain really did come from you and not someone spoofing your address. By defining which mail servers are authorized to send from your domain, you reduce the chances of being a spam victim, helping ensure your emails make it to the inbox.

November 2021 - Mailjet
Marketer view

Email marketer from Reddit explains that the SPF record should primarily cover the domain used in the 'Mail From' address, and that DMARC uses this record in conjunction with DKIM to determine if the email is legitimate. Make sure your 'Mail From' domain is aligned with your 'Header From' domain for DMARC compliance.

November 2022 - Reddit
Marketer view

Email marketer from Mailhardener emphasises the importance of a properly configured SPF record to prevent spammers from forging your domain when sending emails. It contributes to your domain’s reputation and can significantly improve email deliverability.

April 2022 - Mailhardener

What the experts say
4Expert opinions

The experts generally agree that while SPF records are crucial for email authentication and deliverability, it's not always necessary to add them to both the sender and envelope domains. Older practices might suggest it, but modern advice emphasizes SPF alignment. Specifically, ensuring the domain in the 'header from' address matches the domain authorized by SPF is key for DMARC compliance. Gmail also doesn't display SPF results for the 5322.from domain, so an extra SPF record won't alter that. SPF is vital for preventing email spoofing and verifying the authenticity of emails, ultimately improving delivery rates.

Key opinions

  • SPF Alignment is Key: Matching the domain in the 'header from' address with the domain authorized by SPF is critical for DMARC compliance.
  • Older Guidance is Outdated: Adding SPF at the visible 'from' level, while historically practiced, is not considered necessary now.
  • SPF Prevents Spoofing: SPF is essential for verifying the authenticity of emails, preventing spoofing and improving overall email delivery.
  • Gmail GPT Behavior: Gmail doesn't show SPF results for the 5322.from domain in Google Postmaster Tools.

Key considerations

  • Focus on Alignment: Prioritize SPF alignment with the 'header from' domain to ensure DMARC compliance and prevent deliverability issues.
  • Ignore Useless Warnings: Ignore ESP warnings about missing SPF in the 'from' domain, as they are often irrelevant.
  • Check GPT Settings: To see SPF results in Google Postmaster Tools, ensure you add the envelope domain to GPT.
  • SPF is Required for Setup: If you're setting up a domain for email, make sure to have SPF in place as a critical factor in order for good delivery.
Expert view

Expert from Spam Resource explains that SPF is used to ensure that emails aren't spoofed and that email delivery is verified. If you are setting up a domain SPF is required in order for good delivery.

July 2022 - Spam Resource
Expert view

Expert from Email Geeks clarifies that while older guidance might suggest adding SPF at the visible from level (due to Microsoft's historical practices), it's not necessary now. Some ESP tools may still issue warnings about the lack of SPF in the from domain, but these are often useless.

April 2023 - Email Geeks
Expert view

Expert from Word to the Wise clarifies that you should be most concerned with SPF alignment, which means matching the domain in the 'header from' address with the domain authorized by SPF. This alignment is crucial for passing DMARC.

May 2021 - Word to the Wise
Expert view

Expert from Email Geeks explains that Gmail won’t show an SPF result for the domain in the 5322.from, so an extra SPF record won’t help change that. To see the SPF results in GPT, you need to add the envelope domain to GPT.

May 2021 - Email Geeks

What the documentation says
4Technical articles

Documentation from RFC Editor, dmarcian, Microsoft, and Cloudflare indicates that SPF (Sender Policy Framework) is a DNS record that authenticates the MAIL FROM identity, including the envelope sender or Return-Path. It helps verify the sending mail server's authority and identifies legitimate emails, preventing spammers from forging 'from' addresses. SPF records should cover all domains used for sending email, including subdomains, to avoid deliverability issues, especially within platforms like Microsoft 365.

Key findings

  • SPF authenticates MAIL FROM: SPF authenticates the MAIL FROM identity (envelope sender/Return-Path).
  • Verifies Sending Authority: SPF verifies the authority of the sending mail server, preventing unauthorized use of the domain.
  • Prevents Forged Addresses: SPF helps prevent spammers from using forged 'from' addresses.
  • Covers All Sending Domains: SPF records should cover all domains used for sending email, including subdomains.

Key considerations

  • Subdomain Coverage: Ensure SPF records include subdomains used by marketing services or other email sending platforms.
  • Microsoft 365: Pay special attention to SPF configuration when using Microsoft 365 to avoid deliverability issues.
  • SMTP Transaction: SPF is used during the SMTP transaction to verify the sending server.
  • Legitimate Email: Implementing SPF helps receiving servers identify legitimate emails and filter out fraudulent ones.
Technical article

Documentation from Microsoft advises ensuring that the SPF record covers all domains used for sending email, including subdomains used by marketing services. It notes that neglecting this can lead to deliverability issues, especially if you're using Microsoft 365.

August 2024 - Microsoft
Technical article

Documentation from RFC Editor details that SPF (Sender Policy Framework) authenticates the MAIL FROM identity (also known as the envelope sender or Return-Path). It explains SPF's mechanism to permit sending hosts of a domain and is used during the SMTP transaction.

April 2022 - RFC Editor
Technical article

Documentation from dmarcian explains SPF's role in verifying the sending mail server’s authority to send emails on behalf of your domain, using the domain found in the 'MAIL FROM' or 'envelope from' address. This helps receiving servers identify legitimate emails and filter out fraudulent ones.

March 2023 - dmarcian
Technical article

Documentation from Cloudflare shares that the SPF (Sender Policy Framework) is a type of DNS record that identifies the mail servers authorized to send email on behalf of your domain. It helps prevent spammers from sending messages with forged 'from' addresses at your domain.

January 2022 - Cloudflare