Do SPF Records For Primary Domain apply to subdomains?

domain-name-system email spf email-server smtp

I have a quick question regarding SPF records: Do they need to be present for all subdomains?

Lets say that I have a TXT record with SPF info for domain.com

Let's also say that I have a seperate email domain for subdomain.domain.com

Will the SPF policy/info for domain.com also apply to the subdomain? Or do I need to add a separate TXT record for that too?


You need to have separate SPF records for each subdomain you wish to send mail from.

The following was originally posted on openspf.org, which used to be a great resource for this kind of thing.

Latest link http://www.open-spf.org/FAQ/The_demon_question/

The Demon Question: What about subdomains?

If I get mail from pielovers.demon.co.uk, and there's no SPF data for pielovers, should I go back one level and test SPF for demon.co.uk? No. Each subdomain at Demon is a different customer, and each customer might have their own policy. It wouldn't make sense for Demon's policy to apply to all its customers by default; if Demon wants to do that, it can set up SPF records for each subdomain.

So the advice to SPF publishers is this: you should add an SPF record for each subdomain or hostname that has an A or MX record.

Sites with wildcard A or MX records should also have a wildcard SPF record, of the form: * IN TXT "v=spf1 -all"

This makes sense - a subdomain may very well be in a different geographical location and have a very different SPF definition.

The 'include:' directive for SPF may be used to provide all subdomains with the same entries. For example, on the SPF record for subdomain mailfrom.example.com enter 'include:example.com'. In this fashion whenever you update the definition for example.com your subdomains will automatically pick up the updated values.


In addition to the other answers, if a subdomain is created as a CNAME record, the SPF record is the one for the domain it points to, e.g. sub.domain.com is a CNAME of otherdomain.com, the SPF a mailserver will get when it looks up [email protected] is in the DNS record for otherdomain.com.

This is the same in practice if the CNAME record says sub.domain.com => othersub.domain.com, so your TXT record would need to be othersub, not sub. This is in contrast to DKIM, which needs a separate TXT record for the public key, even if your subdomain is a CNAME.


But note, as it says in the FAQ referenced in the accepted answer, that you can have wildcard SPFs for a domain for wildcard A or MX records. I have wildcard MX domains, and this works for me:

*.mydomain.org. 3600 IN  TXT  "v=spf1 ip4:IPADDR -all"

with IPADDR replaced with your IP address/range.


No, but you can short-circuit them with the include:maindomain.invalid directive.


*.mydomain.org. 3600 IN  TXT  "v=spf1 ip4:IPADDR -all"

as written above does not work if the spammer uses a subdomain that is already in dDNS. For example www.domain.com A A records foresides the wildcard in that case.

Related

Getting the last match in a file using grep
Best location to keep SSL certificates and private keys on Ubuntu servers?
How to get Apache2 to redirect to a subdirectory
Using variables in Apache config files to reduce duplication?
Automate the installation of postfix on Ubuntu
How to make wireshark filter POST-requests only?
How to inspect remote SMTP server's TLS certificate?
What does that mean: packages excluded due to repository priority protections
How can I list my open ports on Debian?
How can I show mysql locks?
How do I protect my company from my IT guy? [closed]
How to unify package installation tasks in ansible?