Do I Need An SPF Record for Subdomains?
by
Reading Time: 4 min
The quick answer is yes, if you use SPF to authenticate your emails and you are sending emails using subdomains, you need to individually configure SPF records for these subdomains by making modifications to your DNS entries. If you’re wondering if you should configure SPF for subdomains and whether policies are to be separately implemented for your subdomains, keep reading!
To do a quick recap, your domain’s DMARC policy automatically applies to your subdomains. That is, if you have a DMARC record in place for company.com with a DMARC policy of p=reject published on company.com, any mail sent from subdomains like support.company.com or marketing.company.com will inherit the same DMARC policy as the root domain without having to manually configure individual sp (subdomain policy) DMARC tags.
Now let’s dive into managing SPF for subdomains:
Key Takeaways
- Subdomains require individually configured SPF records to authenticate emails sent from them.
- DMARC policies apply to subdomains automatically, inheriting the policies of the root domain.
- Setting up SPF helps protect your domain from unauthorized email impersonation.
- The process of adding an SPF record varies by DNS provider, so consult your provider for guidance.
- Checking for syntax errors in your SPF record is crucial for ensuring email deliverability.
How does SPF work with Subdomains?
Unlike DMARC subdomain policies, SPF policies do not automatically get inherited by subdomains. As said above, if you are sending emails using subdomains, you would need to individually configure SPF records for these subdomains by making modifications to your DNS entries.
For example, company.com has the following SPF record:
v=spf1 include:spf.domain.com include:spf.xyz.net -all
However, instead of sending emails directly from company.com which is your root domain, you are sending emails from marketing.company.com, a subdomain based on your root domain. Email receivers will return a no SPF record found error due to the lack of an SPF record for your subdomain.
Simplify SPF with PowerDMARC!
Creating an SPF record for your subdomains
To create an SPF record for your subdomains:
- Head over to the SPF record generator tool
- Enter information pertaining to any third parties you may be using to send emails on behalf of your subdomain (e.g. SendGrid, Zendesk, etc)
- Hit the “generate SPF record” button to let the AI generate an error-free TXT record for you
- Copy this record to your clipboard
Publishing your subdomain’s SPF record
To publish SPF for subdomains:
- Gain access to your DNS management console as an administrator
- Navigate to your DNS settings page to edit/add DNS records
- Make sure your subdomain is registered on the portal, click on “Add new record”
- Create a new record in the “Add new record” pop-up box
Record type: TXT
TTL: 1 hour
Host: (your subdomain name)
Value: Paste your generated SPF record here
Note: The name of each criterion and the process for adding a new record varies depending on the DNS provider you use. For any confusion, please get in touch with your hosting provider.
Why do you need SPF for subdomains (and domains)?
When you send an email, the receiving server performs a DNS lookup to query the sending subdomain’s (or domain) DNS for an SPF record. When found, it now checks whether the sender’s IP address matches any of those specified in the record. A match implies that the domain owner has delegated authority to that domain for transferring emails on its behalf. If it is not a match the email fails the SPF check.
Cybercriminals might be forging your domain name to send fake emails to your clients in order to defraud them. Having an SPF record in place helps prevent unauthorized parties from sending emails from your domain. This is why it is important to set up SPF for subdomains and root domains separately to ensure well-rounded protection against impersonation.
What does an SPF record look like?
Given below is an SPF record for your reference:
If you are facing issues in email deliverability, you should check your SPF record for any syntactical errors. Look for redundant spaces in your record and make sure it’s all in one line. If you’re still having troubles, deploy safe SPF with PowerDMARC. We help you streamline your SPF deployment process so you never face configuration or authentication issues.
Domain & Email Security Expert at PowerDMARC
Yunes is an Operations Team Lead at PowerDMARC with expert knowledge in email authentication and security. Yunes is a Microsoft-certified Azure Administrator Associate with certifications in CompTIA A+ and many more.
Latest posts by Yunes Tarada (see all)
- DMARC for Office 365: Step-by-Step Setup & Best Practices - July 11, 2025
- Office 365 DKIM Setup: Enable, Verify, and Configure - July 10, 2025
- SPF Neutral Mechanism (?all) Explained: When and How to Use It - June 23, 2025
