Setting up SPF and DKIM records of a subdomain
I need to setup SPK and DKIM record for mail.mydomain.com. I have set the following at namecheap -
For SPF -
Record type :TXT
Hostname : mail.mydomain.com
Value : v=spf1 ip4:x.x.x.x ~all
For DKIM -
Record type : TXT
Host : mailer._domainkey
Value : "v=DKIM1; k=rsa; p=LONGSTRING"
This does not work when checked with online checking tools like mail-tester, mxtoolbox etc.
[SOLVED]
Unlike one of the answers below, it is possible to setup records for subdomains as well. It is an issue with Namecheap (and likely other providers as well). You need to setup hostname like this-
SPF hostname : mail
DKIM hostname : mailer._domainkey.mail
Namecheap will automatically add the domain.com at the end. You don't need to add it. Also DNS propagation for DKIM records took over 15 hours.
Like in the answer from BillThor, you probably NEED to set up SPF and DKIM for the example.com
i.e. the hostname used in email addresses [email protected]
, where mail.example.com
is only a MX
for the domain. But, to answer the exact question...
Unlike claimed on another answer, it is possible to set up both SPF and DKIM on every level. After all, example.com.
is a subdomain of com.
that is also a subdomain of .
, not to even mention domains that are already next level subdomains, e.g. co.uk
.
-
SPF records are defined (RFC 7208, 3) to be placed in the DNS tree at the owner name it pertains to, not in a subdomain under the owner name. The first line is for mail sent from
[email protected]
and the second for[email protected]
.example.com. IN TXT "v=spf1 a mx -all" mail.example.com. IN TXT "v=spf1 a mx -all"
SPF is not inherited i.e. it doesn't protect subdomains. Additionally, for every subdomain with an
A
record that isn't intended for sending email you should add:sub.example.com. IN TXT "v=spf1 -all"
-
DKIM recods are defined differently: DKIM Namespace (RFC 6376, 3.6.2.1) is a subdomain:
All DKIM keys are stored in a subdomain named
_domainkey
. Given aDKIM-Signature
field with ad=
tag ofexample.com
and ans=
tag offoo.bar
, the DNS query will be forfoo.bar._domainkey.example.com
.
In the DKIM-Signature
email header you can have d=example.com
or d=mail.example.com
, with the corresponding [email protected]
/ [email protected]
. Equivalent DNS records:
selector._domainkey.example.com. IN TXT "v=DKIM1; k=rsa; p=...
selector._domainkey.mail.example.com. IN TXT "v=DKIM1; k=rsa; p=...
-
Once you have implemented (and tested) SPF and DKIM, consider protecting the
From
header by implementing a DMARC policy (RFC 7489). A DMARC policy is inherited by all subdomains "unless subdomain policy is explicitly described using thesp
tag" (section 6.3). E.g._dmarc.example.com. IN TXT "v=DMARC1; p=reject; aspf=s; adkim=s;"
You should configure DKIM and SPF for the domain you are sending mail for. Given the subdomain mail.example.com
. it is likely sending traffic for the example.com
domain, and has email addresses like [email protected]
.
In this case, you need to configure DKIM records under example.com
rather than under mail.example.com
. The SPF record for example.com
could be as simple as v=spf1 a mx -all
.
There is no reason why the mail server cannot send mail a different domain such as example.net
and/or example.org
. For each domain configure DKIM relative to that domain and an SPF record for that domain.
It is useful to define an SPF record for the mail server domain like v=spf1 a -all
. This allow SPF validation of the host address.
You should also consider configuring DMARC records. These are defined relative to the domain in the sending email address rather than the domain that is sending the email.
I have posted on Securing your Email Reputation with SPF, Implementing DKIM with Exim and other subjects. The DNS details for DKIM are applicable to all mail servers.