Like in the answer from BillThor, you probably NEED to set up SPF and DKIM for the example.com
i.e. the hostname used in email addresses user@example.com
, where mail.example.com
is only a MX
for the domain. But, to answer the exact question...
Unlike claimed on another answer, it is possible to set up both SPF and DKIM on every level. After all, example.com.
is a subdomain of com.
that is also a subdomain of .
, not to even mention domains that are already next level subdomains, e.g. co.uk
.
SPF records are defined (RFC 7208, 3) to be placed in the DNS tree at the owner name it pertains to, not in a subdomain under the owner name. The first line is for mail sent from user@example.com
and the second for user@mail.example.com
.
example.com. IN TXT "v=spf1 a mx -all"
mail.example.com. IN TXT "v=spf1 a mx -all"
SPF is not inherited i.e. it doesn't protect subdomains. Additionally, for every subdomain with an A
record that isn't intended for sending email you should add:
sub.example.com. IN TXT "v=spf1 -all"
DKIM recods are defined differently: DKIM Namespace (RFC 6376, 3.6.2.1) is a subdomain:
All DKIM keys are stored in a subdomain named _domainkey
. Given
a DKIM-Signature
field with a d=
tag of example.com
and an s=
tag of foo.bar
, the DNS query will be for
foo.bar._domainkey.example.com
.
In the DKIM-Signature
email header you can have d=example.com
or d=mail.example.com
, with the corresponding i=user@example.com
/ i=user@mail.example.com
. Equivalent DNS records:
selector._domainkey.example.com. IN TXT "v=DKIM1; k=rsa; p=...
selector._domainkey.mail.example.com. IN TXT "v=DKIM1; k=rsa; p=...
Once you have implemented (and tested) SPF and DKIM, consider protecting the From
header by implementing a DMARC policy (RFC 7489). A DMARC policy is inherited by all subdomains "unless subdomain policy is explicitly described using the sp
tag" (section 6.3). E.g.
_dmarc.example.com. IN TXT "v=DMARC1; p=reject; aspf=s; adkim=s;"