How to create SPF records for my subdomains pointing to services hosted on Azure

wertyq

12/25/22, 2:48 AM

I have a webapp running on Azure and use Google Domains for the domain name (mywebapp.com) and DNS. Azure automatically generates URLs for different resources/services (e.g: https://black-cat-12345.azurestaticapps.net, https://my-webapp-api.azurewebsites.net) and I use CNAMEs to create subdomains:

mywebapp.com  A  3600  {Google IP}
mywebapp.com  MX  3600 {Google mail servers}
mywebapp.com  SPF  "v=spf1 include:_spf.google.com ~all"

login.mywebapp.com  CNAME  3600  black-cat-12345.azurestaticapps.net
api.mywebapp.com  CNAME  3600  my-webapp-api.azurewebsites.net
etc

I've been told to strongly consider adding SPF records for the subdomains to prevent mail spoofing and phishing emails, but according to Adding both CNAME and TXT DNS records for one subdomain I can't have SPF records while using CNAMEs. I'm at a loss on how to achieve this.

If I never send mail from the subdomains, and don't have MX records, are SPF records necessary?

If I should add SPF records, is the only way to achieve this by changing from CNAMEs to A records? I can't use the underlying IP of the Azure resource/service (e.g: my-webapp-api.azurewebsites.net -> 52.175.36.249) so I'm open to ideas.

300

2 + 0

domain-name-system

spf

cname-record

subdomain

azure

Score:0

Server

Lutz Willek

12/25/22, 6:45 AM

Azure Web App supports custom domain, but not in case you are using the free (F1) tier. Instead using an DNS alias (aka CNAME), the right approach is probably to use another pricing tier and to configure your custom domain.

Some documentation on it:

0 + 0

Score:0

Server

AutoGnome

12/25/22, 11:22 AM

If your domain is not sending email, SPF records are not necessary.

There are ways to help combat spam from your sub-domains/hostnames by using an SPF record for every hostname you create with the value v=spf1 -all (aka null SPF record), but this is not practical in a lot of applications.

If you have subdomains with MX records then you need SPF records for them, otherwise create the null SPF record when practical.

0 + 1

Lutz Willek

12/31/22, 10:48 AM

I think the following should be rephrased, because SPF is not meant for those MTA who sent mail but for those who receive email: `If your domain is not sending email, SPF records are not necessary` As addition: subdomains can be tackled automated using `include` statement which points to the main domain - this simplifies handling.

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: How to create SPF records for my subdomains pointing to services hosted on Azure

TH: วิธีสร้างระเบียน SPF สำหรับโดเมนย่อยที่ชี้ไปยังบริการที่โฮสต์บน Azure

RO: Cum să creez înregistrări SPF pentru subdomeniile mele care indică către servicii găzduite pe Azure

RU: Как создать записи SPF для моих субдоменов, указывающих на службы, размещенные в Azure

VI: Cách tạo bản ghi SPF cho tên miền phụ của tôi trỏ đến các dịch vụ được lưu trữ trên Azure

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.