Unlike DMARC, SPF works differently with subdomains. If you’re wondering if you should configure SPF policies separately for your subdomains, this article might be helpful for you.
To do a quick recap, your domain’s DMARC policy automatically applies to your subdomains. That is, if you have a DMARC record in place for company.com with a DMARC policy of p=reject published on company.com, any mail sent from subdomains like support.company.com or marketing.company.com will inherit the same DMARC policy as the root domain without having to manually configure individual sp (subdomain policy) DMARC tags.
Now let’s dive into managing SPF for your subdomains:
How does SPF work with Subdomains?
SPF policies do not automatically get inherited by subdomains. If you use SPF to authenticate your emails and you are sending emails using subdomains, you would need to individually configure SPF records for these subdomains by making modifications to your DNS entries.
company.com has the following SPF record:
v=spf1 include:spf.domain.com include:spf.xyz.net -all
However, instead of sending emails directly from company.com which is your root domain, you are sending emails from marketing.company.com, a subdomain based on your root domain. Email receivers will return a no SPF record found error due to the lack of an SPF record for your subdomain.
Creating an SPF record for your subdomains
To create an SPF record for your subdomains:
- Head over to the SPF record generator tool
- Enter information pertaining to any third parties you may be using to send emails on behalf of your subdomain (e.g. SendGrid, Zendesk, etc)
- Hit the “generate SPF record” button to let the AI generate an error-free TXT record for you
- Copy this record to your clipboard
Publishing your subdomain’s SPF record
To publish your subdomain’s SPF record:
- Gain access to your DNS management console as an administrator
- Navigate to your DNS settings page to edit/add DNS records
- Make sure your subdomain is registered on the portal, click on “Add new record”
- Create a new record in the “Add new record” pop-up box
Record type: TXT
TTL: 1 hour
Host: (your subdomain name)
Value: Paste your generated SPF record here
Note: The name of each criterion and the process for adding a new record varies depending on the DNS provider you use. For any confusion, please get in touch with your hosting provider.
Why do you need an SPF record for your subdomains (and domains)?
When you send an email, the receiving server performs a DNS lookup to query the sending subdomain’s (or domain) DNS for an SPF record. When found, it now checks whether the sender’s IP address matches any of those specified in the record. A match implies that the domain owner has delegated authority to that domain for transferring emails on its behalf. If it is not a match the email fails the SPF check.
Cybercriminals might be forging your domain name to send fake emails to your clients in order to defraud them. Having an SPF record in place helps prevent unauthorized parties from sending emails from your domain.
What does an SPF record look like?
Given below is an SPF record for your reference:
If you are facing issues in email deliverability, you should check your SPF record for any syntactical errors. Look for redundant spaces in your record and make sure it’s all in one line. If you’re still having troubles, deploy safe SPF with PowerDMARC. We help you streamline your SPF deployment process so you never face configuration or authentication issues.