SPF-record for domain vs. sub-domain

Mikhail T.

3/14/24, 3:41 PM

For historical reasons my e-mail address uses a subdomain: [email protected].

My sending (and receiving) servers are completely different from those of the top-level example.com itself. Recently, the top-level domain added an SPF-record and now GMail, for example, rejects my e-mails -- because my sending IP-address is not listed in the SPF-record.

Are Google mistaken -- rejecting e-mails from a subdomain on account of the top-level domain's SPF-record, or are they right -- and the SPF-record for a domain must really list servers for all subdomains too?

1 + 0

spf

subdomain

Score:0

Server

glts

3/14/24, 4:15 PM

An SPF record applies to the domain name it is installed at – independently from any subdomains.

So, for your email address [email protected], the only SPF record that is relevant is the TXT record at foo.example.com.

Generally, I find that Gmail evaluates SPF correctly. From your question it is not entirely clear to me what is going on in your case.

+ 5

Mikhail T.

3/14/24, 4:18 PM

My subdomain has no SPF-records at all. GMail's rejection message states: `SPF check for [foo.example.com] does not pass with ip: [my.send.ing.ip].`

glts

3/14/24, 4:20 PM

It is of course difficult to give advice without seeing the actual domain. I will once again advertise my tool [spftrace](https://crates.io/crates/spftrace) that can help you understand exactly what is going on when evaluating an IP address for your domain foo.example.com.

Mikhail T.

3/14/24, 4:27 PM

Your tool prints: `foo.example.com\nno SPF record found\nnone` -- I think, this indicates, just as I'd expect, that SPF should not weight-in on the decision whether to accept the e-mail. But GMail seems to think differently -- perhaps, they do want the sub-domain to have an SPF-record too. Is such a want really valid, though -- what do the relevant RFC(s) say?

glts

3/14/24, 4:49 PM

Generally, a [*none* result](https://www.rfc-editor.org/rfc/rfc7208#section-8.1) should not put the sender at a disadvantage. But Google is Google, and they can decide that ‘unknown’ senders or senders with some sort of negative indicators must have an SPF record that authorises that sender. It’s a policy thing, and it’s up to them.

Reinto

3/17/24, 1:31 PM

In the light of DMARC, the failure to pass SPF is very relevant, though. If you read the message carefully, Google states SPF check does not pass (in absence of a record). If the organizational domain (example.com) has published a (restrictive) DMARC policy, it certainly would justify junking the emails. More so, these days ESPs check emails as if a DMARC policy was in place, when no record is found, because SPF alone does not authenticate the FROM address.

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: SPF-record for domain vs. sub-domain

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.