77

I have a quick question regarding SPF records: Do they need to be present for all subdomains?

Lets say that I have a TXT record with SPF info for domain.com

Let's also say that I have a seperate email domain for subdomain.domain.com

Will the SPF policy/info for domain.com also apply to the subdomain? Or do I need to add a separate TXT record for that too?

Mike B
  • 11,570
  • 42
  • 106
  • 165

6 Answers6

80

You need to have separate SPF records for each subdomain you wish to send mail from.

The following was originally posted on openspf.org, which used to be a great resource for this kind of thing.

Latest link http://www.open-spf.org/FAQ/The_demon_question/

The Demon Question: What about subdomains?

If I get mail from pielovers.demon.co.uk, and there's no SPF data for pielovers, should I go back one level and test SPF for demon.co.uk? No. Each subdomain at Demon is a different customer, and each customer might have their own policy. It wouldn't make sense for Demon's policy to apply to all its customers by default; if Demon wants to do that, it can set up SPF records for each subdomain.

So the advice to SPF publishers is this: you should add an SPF record for each subdomain or hostname that has an A or MX record.

Sites with wildcard A or MX records should also have a wildcard SPF record, of the form: * IN TXT "v=spf1 -all"

This makes sense - a subdomain may very well be in a different geographical location and have a very different SPF definition.

The 'include:' directive for SPF may be used to provide all subdomains with the same entries. For example, on the SPF record for subdomain mailfrom.example.com enter 'include:example.com'. In this fashion whenever you update the definition for example.com your subdomains will automatically pick up the updated values.

Tim Brigham
  • 15,465
  • 7
  • 72
  • 113
  • link to openspf doesn't work for me atm, but luckily the internet archive has us covered: https://web.archive.org/web/20190129091342/http://www.openspf.org/FAQ/The_demon_question – Legolas Mar 19 '19 at 08:34
  • Current link to The Demon Question: http://www.open-spf.org/action_browse_diff_1_id_FAQ/The_demon_question/ – imclean Mar 26 '21 at 04:54
  • http://www.open-spf.org/FAQ/The_demon_question/ – imclean Mar 28 '21 at 21:58
30

In addition to the other answers, if a subdomain is created as a CNAME record, the SPF record is the one for the domain it points to, e.g. sub.domain.com is a CNAME of otherdomain.com, the SPF a mailserver will get when it looks up mail@sub.domain.com is in the DNS record for otherdomain.com.

This is the same in practice if the CNAME record says sub.domain.com => othersub.domain.com, so your TXT record would need to be othersub, not sub. This is in contrast to DKIM, which needs a separate TXT record for the public key, even if your subdomain is a CNAME.

Marco Demaio
  • 580
  • 1
  • 8
  • 22
Sam_Butler
  • 421
  • 4
  • 5
5

But note, as it says in the FAQ referenced in the accepted answer, that you can have wildcard SPFs for a domain for wildcard A or MX records. I have wildcard MX domains, and this works for me:

*.mydomain.org. 3600 IN  TXT  "v=spf1 ip4:IPADDR -all"

with IPADDR replaced with your IP address/range.

EML
  • 393
  • 3
  • 12
3

No, but you can short-circuit them with the include:maindomain.invalid directive.

mailq
  • 16,882
  • 2
  • 36
  • 66
2
*.mydomain.org. 3600 IN  TXT  "v=spf1 ip4:IPADDR -all" 

as written above does not work if the spammer uses a subdomain that is already in dDNS. For example www.domain.com A A records foresides the wildcard in that case.

HBruijn
  • 72,524
  • 21
  • 127
  • 192
0

Be aware that the include statement only includes A-records from the specified domain and not subdomains either. So it does not pick up A-records from subdomains and therefore it only works when all subdomains are on the same server or send from the same server.

Jeff
  • 11
  • 1
  • I don't think this answer pertains to the question (which concerns SPF records, i.e. `TXT`) at all? – Felix Frank Jun 16 '14 at 11:48
  • I think the warning in this answer was about the case where 1) the top-level domain specified an SPF record including 'a' 2) the sub-domain included the top-level domain SPF, expecting to pick up the exact same set of IP addresses, but actually picked up the sub-domain A record. – AdamS Mar 18 '17 at 16:38
  • @AdamS, the opposite actually occurs. Suppose: • `example.com A` returns `192.168.0.10`; • `example.com TXT` returns `v=spf1 a -all`; • `sub.example.com A` returns `192.168.0.20`; and • `sub.example.com TXT` returns `v=spf1 include:example.com -all`. Then mail for `sub.example.com` is permitted to be sent from `192.168.0.10` alone. – Jivan Pal Dec 30 '20 at 00:19