Do SPF records apply to all subdomains?
I cannot see anything in the SPF standard which would imply that a SPF record covers all subdomains too. Given that subdomains are sometimes managed by different parties (especially in larger organisations like universities) it would also not make much sense to implicitly cover the subdomains. And the standard says in section 4.4:
4.4. Record Lookup
In accordance with how the records are published (see Section 3 above), a DNS query needs to be made for the <domain> name, querying for type TXT only.
"<domain> name" is here the domain from the email, not an upper domain.
SPF does not "roll up" to the organizational domain (this is DMARC's term for thing you register, immediately under the TLD/public suffix). When SPF refers to a "domain", it means the fully qualified domain name (FQDN, "host").
You can make this roll up with a wildcard DNS record, so if you control example.com
with BIND:
* IN TXT v=spf1 a 192.0.2.0/24 -all
@ IN TXT v=spf1 a mx 192.0.2.0/24 ~all
I've chosen to make @
(the top level) allow the mail exchange and be more forgiving about missing may relays (they'll SOFTFAIL) while any other host will trigger the wildcard and either sends mail themselves (the A
record, which also affects IPv6's AAAA
), plus the allowed network CIDR, with a more final FAIL for items that do not pass. This isn't authoritative without DMARC, which could also be set up with a wildcard if desired.