How SPF Works With Subdomains?

SPF Subdomain

We will go over how SPF works with subdomains in this article.

How SPF policy discovery works

As discussed in the How DMARC Works With Subdomains post, not all subdomains need to publish a DMARC record, if the organizational domain already has one. In that case, the organizational domain's DMARC record will be used for all subdomains without an explicitly published DMARC record, by the DMARC policy discovery process.

Does SPF work the same way? Let's say we have an SPF record published on domain.com as follows:

v=spf1 include:someservice.com -all

and a subdomain sales.domain.com. And no SPF record is present on sales.domain.com.

Now the receiving server needs to perform an SPF check on an incoming email claiming to have originated from joe@sales.domain.com, will it be able to find an SPF record for that purpose?

The answer is no. SPF policy discovery works differently than DMARC policy discovery in this regard: if SPF is unable to find an SPF record on a subdomain, it won't go up to try the organizational domain; instead, SPF will return none as the check result.

This makes good sense. From a real-world perspective, sales.domain.com represents a department while the organizational domain represents the whole organization. As a specialized department, sales uses services that are highly sales-specific, hence probably different than those used outside the sales department. Therefore, if an SPF record is not found on sales.domain.com, we can't simply resort to domain.com for the SPF record as a fallback. Same for other departments like IT, accounting, billing, etc.

Your best bet is to create an SPF record with all the services used within the sales department on sales.domain.com. Do this for every subdomain (including multi-level subdomains) that sends emails within your organization.

How to publish an SPF record on a subdomain

Publishing an SPF record on a subdomain is very similar to that on an organizational domain. All you need is to create a TXT record on that subdomain:

subdomain IN TXT    "v=spf1 mx include:_spf.google.com ip4:111.13.109.12 -all"

For example, here is how you publish the SPF record on subdomain.mailiber.com on GoDaddy:

Once it's published, you can use our SPF record checker to confirm that subdomain.mailiber.com does have the SPF record:

Previous Post Next Post

 Protect Business Email & Improve Email Deliverability

Get a 14 day trial. No credit card required.

Create Account