Do SPF Records For Primary Domain apply to subdomains?

Solution 1:

You need to have separate SPF records for each subdomain you wish to send mail from.

The following was originally posted on openspf.org, which used to be a great resource for this kind of thing.

The Demon Question: What about subdomains?

If I get mail from pielovers.demon.co.uk, and there's no SPF data for pielovers, should I go back one level and test SPF for demon.co.uk? No. Each subdomain at Demon is a different customer, and each customer might have their own policy. It wouldn't make sense for Demon's policy to apply to all its customers by default; if Demon wants to do that, it can set up SPF records for each subdomain.

So the advice to SPF publishers is this: you should add an SPF record for each subdomain or hostname that has an A or MX record.

Sites with wildcard A or MX records should also have a wildcard SPF record, of the form: * IN TXT "v=spf1 -all"

This makes sense - a subdomain may very well be in a different geographical location and have a very different SPF definition.

The 'include:' directive for SPF may be used to provide all subdomains with the same entries. For example, on the SPF record for subdomain mailfrom.example.com enter 'include:example.com'. In this fashion whenever you update the definition for example.com your subdomains will automatically pick up the updated values.

Solution 2:

In addition to the other answers, if a subdomain is created as a CNAME record, the SPF record is the one for the domain it points to, e.g. sub.domain.com is a CNAME of otherdomain.com, the SPF a mailserver will get when it looks up [email protected] is in the DNS record for otherdomain.com.

This is the same in practice if the CNAME record says sub.domain.com => othersub.domain.com, so your TXT record would need to be othersub, not sub. This is in contrast to DKIM, which needs a separate TXT record for the public key, even if your subdomain is a CNAME.


Solution 3:

But note, as it says in the FAQ referenced in the accepted answer, that you can have wildcard SPFs for a domain for wildcard A or MX records. I have wildcard MX domains, and this works for me:

*.mydomain.org. 3600 IN  TXT  "v=spf1 ip4:IPADDR -all"

with IPADDR replaced with your IP address/range.


Solution 4:

No, but you can short-circuit them with the include:maindomain.invalid directive.


Solution 5:

*.mydomain.org. 3600 IN  TXT  "v=spf1 ip4:IPADDR -all" 

as written above does not work if the spammer uses a subdomain that is already in dDNS. For example www.domain.com A A records foresides the wildcard in that case.