0

For historical reasons my e-mail address uses a subdomain: [email protected].

My sending (and receiving) servers are completely different from those of the top-level example.com itself. Recently, the top-level domain added an SPF-record and now GMail, for example, rejects my e-mails -- because my sending IP-address is not listed in the SPF-record.

Are Google mistaken -- rejecting e-mails from a subdomain on account of the top-level domain's SPF-record, or are they right -- and the SPF-record for a domain must really list servers for all subdomains too?

Improve this question

1 Answer 1

Reset to default
0

An SPF record applies to the domain name it is installed at – independently from any subdomains.

So, for your email address [email protected], the only SPF record that is relevant is the TXT record at foo.example.com.

Generally, I find that Gmail evaluates SPF correctly. From your question it is not entirely clear to me what is going on in your case.

Improve this answer
5
  • My subdomain has no SPF-records at all. GMail's rejection message states: SPF check for [foo.example.com] does not pass with ip: [my.send.ing.ip].
    – Mikhail T.
    Commented Mar 14, 2023 at 16:18
  • 1
    It is of course difficult to give advice without seeing the actual domain. I will once again advertise my tool spftrace that can help you understand exactly what is going on when evaluating an IP address for your domain foo.example.com.
    – glts
    Commented Mar 14, 2023 at 16:20
  • Your tool prints: foo.example.com\nno SPF record found\nnone -- I think, this indicates, just as I'd expect, that SPF should not weight-in on the decision whether to accept the e-mail. But GMail seems to think differently -- perhaps, they do want the sub-domain to have an SPF-record too. Is such a want really valid, though -- what do the relevant RFC(s) say?
    – Mikhail T.
    Commented Mar 14, 2023 at 16:27
  • Generally, a none result should not put the sender at a disadvantage. But Google is Google, and they can decide that ‘unknown’ senders or senders with some sort of negative indicators must have an SPF record that authorises that sender. It’s a policy thing, and it’s up to them.
    – glts
    Commented Mar 14, 2023 at 16:49
  • In the light of DMARC, the failure to pass SPF is very relevant, though. If you read the message carefully, Google states SPF check does not pass (in absence of a record). If the organizational domain (example.com) has published a (restrictive) DMARC policy, it certainly would justify junking the emails. More so, these days ESPs check emails as if a DMARC policy was in place, when no record is found, because SPF alone does not authenticate the FROM address.
    – Reinto
    Commented Mar 17, 2023 at 13:31

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .