0

For historical reasons my e-mail address uses a subdomain: me@foo.example.com.

My sending (and receiving) servers are completely different from those of the top-level example.com itself. Recently, the top-level domain added an SPF-record and now GMail, for example, rejects my e-mails -- because my sending IP-address is not listed in the SPF-record.

Are Google mistaken -- rejecting e-mails from a subdomain on account of the top-level domain's SPF-record, or are they right -- and the SPF-record for a domain must really list servers for all subdomains too?

Mikhail T.
  • 2,338
  • 1
  • 24
  • 55

1 Answers1

0

An SPF record applies to the domain name it is installed at – independently from any subdomains.

So, for your email address me@foo.example.com, the only SPF record that is relevant is the TXT record at foo.example.com.

Generally, I find that Gmail evaluates SPF correctly. From your question it is not entirely clear to me what is going on in your case.

glts
  • 897
  • 5
  • 17
  • My subdomain has no SPF-records at all. GMail's rejection message states: `SPF check for [foo.example.com] does not pass with ip: [my.send.ing.ip].` – Mikhail T. Mar 14 '23 at 16:18
  • 1
    It is of course difficult to give advice without seeing the actual domain. I will once again advertise my tool [spftrace](https://crates.io/crates/spftrace) that can help you understand exactly what is going on when evaluating an IP address for your domain foo.example.com. – glts Mar 14 '23 at 16:20
  • Your tool prints: `foo.example.com\nno SPF record found\nnone` -- I think, this indicates, just as I'd expect, that SPF should not weight-in on the decision whether to accept the e-mail. But GMail seems to think differently -- perhaps, they do want the sub-domain to have an SPF-record too. Is such a want really valid, though -- what do the relevant RFC(s) say? – Mikhail T. Mar 14 '23 at 16:27
  • Generally, a [*none* result](https://www.rfc-editor.org/rfc/rfc7208#section-8.1) should not put the sender at a disadvantage. But Google is Google, and they can decide that ‘unknown’ senders or senders with some sort of negative indicators must have an SPF record that authorises that sender. It’s a policy thing, and it’s up to them. – glts Mar 14 '23 at 16:49
  • In the light of DMARC, the failure to pass SPF is very relevant, though. If you read the message carefully, Google states SPF check does not pass (in absence of a record). If the organizational domain (example.com) has published a (restrictive) DMARC policy, it certainly would justify junking the emails. More so, these days ESPs check emails as if a DMARC policy was in place, when no record is found, because SPF alone does not authenticate the FROM address. – Reinto Mar 17 '23 at 13:31