Unlike DMARC, SPF works differently with subdomains. If you’re wondering if you should configure SPF for subdomains and whether policies are to be separately implemented for your subdomains, this article might be helpful for you. Read more about how DMARC works with subdomains here.
To do a quick recap, your domain’s DMARC policy automatically applies to your subdomains. That is, if you have a DMARC record in place for company.com with a DMARC policy of p=reject published on company.com, any mail sent from subdomains like support.company.com or marketing.company.com will inherit the same DMARC policy as the root domain without having to manually configure individual sp (subdomain policy) DMARC tags.
Now let’s dive into managing SPF for subdomains:
How does SPF work with Subdomains?
SPF policies do not automatically get inherited by subdomains. If you use SPF to authenticate your emails and you are sending emails using subdomains, you would need to individually configure SPF records for these subdomains by making modifications to your DNS entries.
company.com has the following SPF record:
v=spf1 include:spf.domain.com include:spf.xyz.net -all
However, instead of sending emails directly from company.com which is your root domain, you are sending emails from marketing.company.com, a subdomain based on your root domain. Email receivers will return a no SPF record found error due to the lack of an SPF record for your subdomain.
Creating an SPF record for your subdomains
To create an SPF record for your subdomains:
- Head over to the SPF record generator tool
- Enter information pertaining to any third parties you may be using to send emails on behalf of your subdomain (e.g. SendGrid, Zendesk, etc)
- Hit the “generate SPF record” button to let the AI generate an error-free TXT record for you
- Copy this record to your clipboard
Publishing your subdomain’s SPF record
To publish SPF for subdomains:
- Gain access to your DNS management console as an administrator
- Navigate to your DNS settings page to edit/add DNS records
- Make sure your subdomain is registered on the portal, click on “Add new record”
- Create a new record in the “Add new record” pop-up box
Record type: TXT
TTL: 1 hour
Host: (your subdomain name)
Value: Paste your generated SPF record here
Note: The name of each criterion and the process for adding a new record varies depending on the DNS provider you use. For any confusion, please get in touch with your hosting provider.
Why do you need SPF for subdomains (and domains)?
When you send an email, the receiving server performs a DNS lookup to query the sending subdomain’s (or domain) DNS for an SPF record. When found, it now checks whether the sender’s IP address matches any of those specified in the record. A match implies that the domain owner has delegated authority to that domain for transferring emails on its behalf. If it is not a match the email fails the SPF check.
Cybercriminals might be forging your domain name to send fake emails to your clients in order to defraud them. Having an SPF record in place helps prevent unauthorized parties from sending emails from your domain. This is why it is important to set up SPF for subdomains and root domains separately to ensure well-rounded protection against impersonation.
What does an SPF record look like?
Given below is an SPF record for your reference:
If you are facing issues in email deliverability, you should check your SPF record for any syntactical errors. Look for redundant spaces in your record and make sure it’s all in one line. If you’re still having troubles, deploy safe SPF with PowerDMARC. We help you streamline your SPF deployment process so you never face configuration or authentication issues.