SPF Records for Subdomains: Do You Need Them?
Learn when subdomains need their own SPF records, how subdomain SPF inheritance works, and how to use subdomains to solve the 10 DNS lookup limit.
Here's the misconception that trips up most people: they assume subdomains inherit the parent domain's SPF record. They don't. If you have a perfect SPF record on example.com, your mail.example.com subdomain has no SPF protection at all -- unless you create a separate record for it.
This matters because attackers know it too. Unprotected subdomains are a common spoofing target. And if you're sending email from subdomains (transactional, marketing, support), those messages are flying without SPF authentication.
Subdomains Do Not Inherit SPF
This is the single most important thing to understand. The SPF specification (RFC 7208) is explicit: SPF records are evaluated per-domain. When a receiving server checks SPF for mail.example.com, it queries the DNS TXT records for mail.example.com -- not example.com.
If mail.example.com doesn't have its own SPF record, the SPF check returns none. That's the same result as having no SPF at all.
SPF records do not cascade from parent domains to subdomains. Each subdomain that sends email needs its own SPF TXT record. This is not optional -- it's how the protocol works.
This is different from DMARC, where subdomains can inherit the parent domain's policy (unless overridden with sp=). SPF has no inheritance mechanism whatsoever.
When You Need a Subdomain SPF Record
Not every subdomain needs an SPF record, but many do. Here's how to decide.
| Scenario | Needs SPF? | Recommendation |
|---|---|---|
| Subdomain sends transactional email (mail.example.com) | Yes | Create SPF record authorizing your transactional provider |
| Subdomain sends marketing email (marketing.example.com) | Yes | Create SPF record authorizing your marketing platform |
| Subdomain runs a helpdesk that sends email (support.example.com) | Yes | Create SPF record authorizing your helpdesk provider |
| Subdomain is a website only (www.example.com) | Recommended | Publish v=spf1 -all to prevent spoofing |
| Subdomain hosts an API (api.example.com) | Recommended | Publish v=spf1 -all to prevent spoofing |
| Subdomain doesn't exist yet | No | No record needed until the subdomain is active |
The pattern is straightforward: if a subdomain sends email, it needs an SPF record authorizing the senders. If it doesn't send email, publish a null record to block spoofing.
The Null SPF Record
For subdomains that should never send email, publish this record:
v=spf1 -all
This tells every receiving server that no IP address is authorized to send email from this subdomain. Any message claiming to come from www.example.com or api.example.com will fail SPF.
It takes 30 seconds to add and closes a gap that attackers actively exploit. Subdomains like www, cdn, static, api, dev, and staging should all have null SPF records if they don't send email.
Protect all your subdomains
Run through your DNS zone and identify every subdomain. For each one that doesn't send email, add v=spf1 -all. This is one of the easiest security wins available.
Using Subdomains to Solve the 10-Lookup Limit
This is where subdomains become a powerful architectural tool. The SPF 10 DNS lookup limit applies per-domain. If your root domain is running out of lookup budget because you have too many sending services, splitting those services across subdomains gives each one its own budget of 10 lookups.
Before: Everything on the Root Domain
example.com: v=spf1 include:_spf.google.com include:sendgrid.net include:servers.mcsv.net include:mail.zendesk.com include:_spf.salesforce.com -all
This record is already at 8-10 lookups when you count nested includes. Adding one more service pushes you over the limit.
After: Split by Function
example.com: v=spf1 include:_spf.google.com -all
mail.example.com: v=spf1 include:sendgrid.net -all
marketing.example.com: v=spf1 include:servers.mcsv.net -all
support.example.com: v=spf1 include:mail.zendesk.com -all
crm.example.com: v=spf1 include:_spf.salesforce.com -all
Each subdomain uses 1-4 lookups. None is anywhere near the limit. And you can add more services to any subdomain without affecting the others.
Monitor SPF across all your subdomains
Track SPF, DKIM, DMARC, and MX records for your domain and subdomains. Get alerted when something breaks.
Setting Up SPF for a Subdomain: Step by Step
Let's walk through setting up SPF for transactional email on a subdomain. In this example, you're moving SendGrid from your root domain to mail.example.com.
Choose your subdomain
Pick a subdomain that describes the function: mail.example.com for transactional, marketing.example.com for campaigns, notifications.example.com for automated alerts. Keep it descriptive.
Create the subdomain DNS record
Add an A record or CNAME for the subdomain if it doesn't already exist. Your email provider may also require specific CNAME records for tracking and authentication.
Add the SPF TXT record on the subdomain
Create a TXT record on mail.example.com (not example.com) with the provider's SPF include. For SendGrid: v=spf1 include:sendgrid.net -all
Configure your provider to send from the subdomain
In SendGrid (or your provider), update the sending domain to mail.example.com. The provider will validate domain ownership and DNS setup.
Set up DKIM for the subdomain
Each subdomain also needs its own DKIM signing. Your provider will give you CNAME records to add for DKIM authentication on the subdomain.
Remove the include from your root domain
Once the subdomain is working, remove include:sendgrid.net from your root domain's SPF record. This frees up lookups on your root domain.
Verify with a lookup tool
Use SPF Record Check to verify both records -- your updated root domain and the new subdomain record.
Example Records: Multi-Subdomain Setup
Here's a realistic setup for a company using Google Workspace for corporate email, SendGrid for transactional, and Mailchimp for marketing.
Root Domain: Google Workspace
example.com TXT "v=spf1 include:_spf.google.com -all"
This handles employee email. Google Workspace is the only service sending from @example.com.
Transactional Subdomain: SendGrid
mail.example.com TXT "v=spf1 include:sendgrid.net -all"
Order confirmations, password resets, and system notifications go through SendGrid using noreply@mail.example.com.
Marketing Subdomain: Mailchimp
marketing.example.com TXT "v=spf1 include:servers.mcsv.net -all"
Newsletters and campaigns send from news@marketing.example.com.
Non-Sending Subdomains: Null Records
www.example.com TXT "v=spf1 -all"
api.example.com TXT "v=spf1 -all"
staging.example.com TXT "v=spf1 -all"
These subdomains don't send email. The null record blocks spoofing attempts.
Each of these records uses only a handful of DNS lookups. The root domain uses 3-4 (Google), SendGrid uses 1, Mailchimp uses 1-2. Compare that to cramming everything into the root domain, which would use 6-8 lookups total and leave no room for growth.
DMARC Alignment With Subdomains
When you move email to subdomains, DMARC alignment becomes important. DMARC checks whether the domain in the From header aligns with the domain that passed SPF or DKIM. There are two alignment modes.
Relaxed Alignment (aspf=r)
This is the default. With relaxed alignment, SPF passes DMARC alignment if the SPF-authenticated domain and the From domain share the same organizational domain.
- Email from
noreply@mail.example.comwith SPF passing formail.example.comaligns with aFromheader ofuser@example.com. The organizational domain isexample.comin both cases.
This is the mode most domains use, and it works well with subdomain-based sending.
Strict Alignment (aspf=s)
With strict alignment, the SPF domain must exactly match the From header domain.
- Email from
mail.example.comdoes not align withFrom: user@example.comunder strict mode. - Email from
mail.example.comonly aligns withFrom: noreply@mail.example.com.
| Alignment Mode | SPF Domain | From Header | DMARC Result |
|---|---|---|---|
| Relaxed (aspf=r) | mail.example.com | user@example.com | Pass |
| Relaxed (aspf=r) | marketing.example.com | news@example.com | Pass |
| Strict (aspf=s) | mail.example.com | user@example.com | Fail |
| Strict (aspf=s) | mail.example.com | noreply@mail.example.com | Pass |
If you're using subdomains with relaxed DMARC alignment, messages sent from subdomains will align with your root domain's From address. If you're using strict alignment, the From address must match the subdomain.
Most organizations should use relaxed alignment (the default) when implementing subdomain-based sending. Check your DMARC record to confirm. If aspf=s is set, you'll need to update your From addresses to match each subdomain, or switch to relaxed alignment.
Common Mistakes With Subdomain SPF
Assuming Inheritance
The biggest mistake. You set up v=spf1 include:_spf.google.com include:sendgrid.net -all on example.com and assume mail.example.com is covered. It isn't. Every subdomain that sends email needs its own record.
Forgetting to Protect Non-Sending Subdomains
If blog.example.com exists but doesn't send email, an attacker can spoof ceo@blog.example.com. Without an SPF record on the subdomain, there's nothing to stop it. Add v=spf1 -all to every non-sending subdomain.
Not Setting Up DKIM on Subdomains
SPF on the subdomain is only half the picture. Each subdomain also needs DKIM configured, and your DMARC policy needs to cover subdomain behavior. The three protocols work together -- setting up one without the others leaves gaps.
Using the Wrong DNS Level
When adding an SPF record for mail.example.com, make sure you're creating the TXT record on mail.example.com, not adding a record named mail to a different zone. Check your DNS provider's interface carefully.
When to Use Subdomains vs. Keep Everything on the Root
Use subdomains when you have 4+ sending services
If your root domain's SPF record is approaching the 10-lookup limit, subdomains are the cleanest solution. Each gets its own budget.
Use subdomains for clear separation of email streams
Transactional, marketing, and corporate email have different deliverability profiles. Separating them by subdomain lets you manage reputation independently.
Keep the root domain when you have 1-3 services
If you only use Google Workspace and one other sender, a single SPF record on the root domain is simpler and works fine.
Keep the root domain when simplicity matters most
Subdomains add DNS management overhead. If your team is small and your email setup is simple, one record is easier to maintain.
Related Articles
Monitor Your New SPF Record
You've created your SPF record — now make sure it keeps working. The Email Deliverability Suite watches your SPF, DKIM, DMARC, and MX records daily and alerts you when something breaks.
Never miss an SPF issue
Monitor your SPF, DKIM, DMARC and MX records daily. Get alerts when something breaks.
Start Monitoring