Suped

When are separate SPF records needed for a domain and its subdomains?

9 Marketer opinions4 Expert opinions6 Technical articles2 Resources

Summary

The consensus from experts and marketers is that each (sub)domain requires its own SPF record if it sends email. While only one SPF TXT record is permitted per domain, you can authorize multiple sending sources using mechanisms like 'include:'. Subdomains sending emails through different mail servers, ESPs, or with different sending policies than the primary domain necessitate separate SPF records. If a subdomain solely receives emails, an SPF record is not strictly needed but is recommended as a security measure against misuse. When configuring SPF records, be mindful of the limit on 'include:' mechanisms and specific platform requirements, like prioritizing DKIM for Mailchimp. If corporate email is hosted with Gmail, use '@ include:google' on the main domain's record.

Key findings

  • Independent Sending Requires SPF: If a subdomain sends email independently of the main domain, it needs a separate SPF record.
  • Different Servers, Different SPF: Subdomains using different mail servers or ESPs need their own SPF records.
  • One SPF Record Rule: Each (sub)domain can only have one SPF TXT record.
  • SPF Not Always Needed: If a subdomain only receives email, an SPF record isn't required.
  • Prevent Misuse with SPF: Implementing a restrictive SPF record can prevent abuse on subdomains that don't send emails.
  • Multiple Sources via Include: Multiple sending sources can be authorized within a single SPF record using 'include:' and other mechanisms.
  • Mailchimp and DKIM: For Mailchimp, DKIM is often recommended over SPF.

Key considerations

  • Identify Sending Sources: Accurately identify all authorized sending sources for each domain and subdomain.
  • Combine records: Combine all sending sources into a single SPF record using include mechanics, for each domain.
  • Evaluate Sending Policies: Check if subdomains have differing sending policies or requirements.
  • SPF record for protection: Implement SPF record even if the subdomain is not in use for sending any mail, as a security measure.
  • SPF limitations: Be aware of the limitations of SPF such as how many lookups can be performed.
  • Corporate Hosting Setup: Use '@ include:google' at the main domain level for Gmail-hosted corporate email.
  • Monitor Subdomain Activity: Keep track of which subdomains send mail and update SPF records accordingly.

What email marketers say
9Marketer opinions

Separate SPF records for subdomains are needed when those subdomains send email independently from the main domain, especially if they use different mail servers or sending policies. A single SPF record is required per (sub)domain, and it must include all authorized sending sources. If a subdomain doesn't send email, an SPF record is generally not required, but one can be set up to prevent potential misuse. It's important to be aware of the limitations on the number of 'include' mechanisms within an SPF record.

Key opinions

  • Independent Sending: Subdomains sending independently require separate SPF records.
  • Different Servers: Different mail servers or sending policies necessitate separate SPF records.
  • One SPF Record: Each (sub)domain can only have one SPF record.
  • No Sending, No SPF: If a subdomain doesn't send mail, an SPF record isn't strictly required but is recommended as a security measure.
  • Include Limits: Be aware of the limits on the number of 'include' mechanisms.

Key considerations

  • Sending Source: Identify all email sending sources for each (sub)domain.
  • Combine Records: Combine sending sources into a single SPF record for each domain.
  • Security: Even if a subdomain doesn't send email, consider adding a restrictive SPF record.
  • Policy Differences: Determine if subdomains have different email sending policies.
  • DMARC Considerations: Ensure SPF alignment is correctly configured if using DMARC.
Marketer view

Email marketer from Mailjet explains that subdomains may require separate SPF records if they send email independently from the main domain. This is especially important if different servers or services are used to send emails from the subdomain.

June 2021 - Mailjet
Marketer view

Email marketer from Stack Overflow mentions that each subdomain requires it's own SPF record if the IP's it sends mail from is different from the main domain.

May 2023 - Stack Overflow
Marketer view

Email marketer from EasyDMARC shares that you need separate SPF records when subdomains send emails through different mail servers or have different email sending policies than the primary domain.

June 2022 - EasyDMARC
Marketer view

Email marketer from Stack Overflow answers that if the subdomain sends e-mail on behalf of a different entity then it needs to authorize this entity in a SPF record. In turn the SPF record of the subdomain is completely separate from the root domain's SPF record.

July 2021 - Stack Overflow
Marketer view

Email marketer from AuthSMTP explains you can't have multiple SPF records for a domain or subdomain. To include multiple sending servers or services, you need to combine them into a single SPF record.

July 2021 - AuthSMTP
Marketer view

Email marketer from Super User explains that if you delegate a subdomain to a third party, or if you use different mail servers for different (sub)domains, you need to set up distinct SPF records for each (sub)domain.

December 2021 - Super User
Marketer view

Email marketer from Reddit explains If you're sending mail from a subdomain that uses different mail servers or services than your main domain, then yes, you'll need a separate SPF record for that subdomain.

October 2023 - Reddit
Marketer view

Email marketer from Reddit explains that you only need SPF records for subdomains if they are actually sending emails. If the subdomain is not used to send emails, then an SPF record isn't required.

February 2024 - Reddit
Marketer view

Email marketer from Email Geeks explains that the first line has the include pointing to the sub-domain. When the receiver's server checks the SPF record of the main domain, it will see the include and "follow" it. Then it will see the Google SPF record, and maybe your mandrill record as well if you add it there. He also mentions there's a limit to how many includes will be performed.

August 2024 - Email Geeks

What the experts say
4Expert opinions

Separate SPF records are needed for subdomains when they operate mail servers different from the main domain. Each domain or subdomain that sends mail should have its own SPF record. If a subdomain doesn't send mail, it may not need an SPF record, but creating a restrictive one can prevent abuse. Some platforms might allow setting an envelope domain, requiring an SPF record for the subdomain. For services like Mailchimp, SPF might not be necessary, and setting up a branded DKIM is recommended.

Key opinions

  • Different Mail Servers: Separate SPF records are needed for subdomains using different mail servers.
  • Each Sending Domain Needs SPF: Each domain or subdomain that sends mail needs an SPF record.
  • Non-Sending Subdomains: Subdomains that don't send mail may not need an SPF record.
  • Envelope Domain: Some platforms let you set an envelope domain, requiring SPF for the subdomain.
  • Mailchimp Recommendation: For Mailchimp, branded DKIM is recommended over SPF.

Key considerations

  • Corporate Email Hosting: If corporate email is hosted on Gmail, use '@ include:google' at the main domain.
  • Restrictive SPF: Consider a restrictive SPF record for subdomains that don't send mail to prevent abuse.
  • Platform-Specific Needs: Understand the specific SPF/DKIM needs of your email sending platforms.
  • Monitor Sending Practices: Track which subdomains are actively sending emails.
Expert view

Expert from Email Geeks explains that some ESPs/mail platforms allow a sender to set their own Envelope domain which then requires an SPF record for the subdomain. Last he checked Mailchimp sets the sender from as one of their domains so SPF is likely not needed anyway and to just setup a branded DKIM.

August 2021 - Email Geeks
Expert view

Expert from Email Geeks explains each domain/subdomain needs its own SPF record. He also states that if corporate email is hosted at gmail then you likely need "@ include:google" instead of at the subdomain level.

June 2024 - Email Geeks
Expert view

Expert from Word to the Wise states that any domain name that sends mail needs an SPF record, so if your subdomains send mail, then yes, they need SPF records.

December 2021 - Word to the Wise
Expert view

Expert from Spam Resource explains that if you operate mail servers for subdomains that are different from the main domain's servers, then each subdomain needs its own SPF record. If your subdomains don't send mail, they don't need one. Some people suggest creating a restrictive SPF record to prevent abuse.

December 2022 - Spam Resource

What the documentation says
6Technical articles

Documentation generally agrees that each (sub)domain needs its own SPF record if it sends email. While a domain can only have one SPF record, multiple sending sources can be authorized using mechanisms like 'include:'. Subdomains that send bulk emails often require their own SPF record. If a subdomain only receives email, it doesn't need an SPF record, though configuring one to prevent misuse is advised.

Key findings

  • One SPF Record Per Domain: Each domain/subdomain can have only one SPF TXT record.
  • Authorize Multiple Sources: Multiple sending sources can be authorized using 'include:' and other mechanisms.
  • Bulk Email From Subdomains: Subdomains sending bulk emails typically need a separate SPF record.
  • Receiving Only: If a subdomain only receives email, an SPF record is not strictly required.
  • Prevent Misuse: Configuring an SPF record for non-sending subdomains can prevent potential misuse.
  • Independent Sending: Subdomains sending independently require separate SPF records.

Key considerations

  • Identify Sending Sources: Determine all authorized sending sources for each domain/subdomain.
  • Record Configuration: Configure SPF records to accurately reflect authorized sending sources.
  • Bulk Email Practices: Consider SPF needs when sending bulk emails from subdomains.
  • Security Posture: Weigh the benefits of setting up a restrictive SPF record for non-sending subdomains.
  • Review Existing SPF: Review the RFC standard for specifics
Technical article

Documentation from RFC 7208, which defines the SPF standard, states that each domain name can have only one SPF record and explains the mechanisms (like `include`, `a`, `mx`, `ip4`, `ip6`) for specifying authorized sending sources. It implicitly suggests separate records for subdomains if policies differ.

March 2022 - RFC Editor
Technical article

Documentation from DMARC Analyzer explains if the subdomain is only being used for receiving emails, it does not need an SPF record.

May 2024 - DMARC Analyzer
Technical article

Documentation from Spamhaus explains that subdomains that send email independently from the main domain should have their own SPF records. If a subdomain doesn't send email, an SPF record is not required, but should configure one to prevent misuse.

October 2022 - Spamhaus
Technical article

Documentation from Microsoft states that if you use a subdomain to send bulk emails, you must add a separate SPF record for the subdomain.

November 2024 - Microsoft
Technical article

Documentation from IONOS explains that each (sub)domain requires its own SPF record. They are independent of each other, and you should define an SPF record for all (sub)domains from which you send emails.

November 2022 - IONOS
Technical article

Documentation from Google Workspace Admin Help explains that while you can only have one SPF TXT record for a domain, you can authorize multiple servers/domains to send email on behalf of your domain by including them in the single SPF record using the `include:` mechanism.

July 2021 - Google Workspace Admin Help

Related resources
2Resources

SPF and Subdomains - Collaboration - Spiceworks Community
SPF and Subdomains - Collaboration - Spiceworks Community

We do have a SPF record in place but as we now have a mailer on a separate IP and A record, our SPF will not cover that. I read about it and apparently you have to have another SPF record for that subdomain. Let’s suppose I have: domain.com. IN TXT “v=spf1 mx ptr ip4: xxx.xxx.xx .250/32 ip4: xxx.xxx.xx .34/32 ip4: xxx.xxx.xx .80/32 ip4:xxx.xxx.xx.16/32 a web.domain.com ~all” Will that ‘IN’ cover domain.com and also subdomain.domain.com? Or will I need an A record for the subdomain.domain.com ...

Spiceworks Community
DNS - SPF for two mail servers inc sub-domain - DNS & Network ...
DNS - SPF for two mail servers inc sub-domain - DNS & Network ...

Hi all, I wonder if someone can shed some light on this please. I have a domain @domain.com that uses iCloud+ for my regular email, which has been working fine (and still does). No issues… However I want to also use a subdomain – @subdomain.domain.com which I want to use for more secure emails (banking etc) at Proton Mail. I can get everything working, apart from SPF whereby Proton Mail Domain names just won’t recognise my additional entry. So I have added the following to Cloudflare DNS – T...

Cloudflare Community

Related questions