Do SPF Records For Primary Domain apply to subdomains?
Solution 1:
You need to have separate SPF records for each subdomain you wish to send mail from.
The following was originally posted on openspf.org, which used to be a great resource for this kind of thing.
The Demon Question: What about subdomains?
If I get mail from pielovers.demon.co.uk, and there's no SPF data for pielovers, should I go back one level and test SPF for demon.co.uk? No. Each subdomain at Demon is a different customer, and each customer might have their own policy. It wouldn't make sense for Demon's policy to apply to all its customers by default; if Demon wants to do that, it can set up SPF records for each subdomain.
So the advice to SPF publishers is this: you should add an SPF record for each subdomain or hostname that has an A or MX record.
Sites with wildcard A or MX records should also have a wildcard SPF record, of the form: * IN TXT "v=spf1 -all"
This makes sense - a subdomain may very well be in a different geographical location and have a very different SPF definition.
The 'include:' directive for SPF may be used to provide all subdomains with the same entries. For example, on the SPF record for subdomain mailfrom.example.com enter 'include:example.com'. In this fashion whenever you update the definition for example.com your subdomains will automatically pick up the updated values.
Solution 2:
In addition to the other answers, if a subdomain is created as a CNAME record, the SPF record is the one for the domain it points to, e.g. sub.domain.com is a CNAME of otherdomain.com, the SPF a mailserver will get when it looks up [email protected] is in the DNS record for otherdomain.com.
This is the same in practice if the CNAME record says sub.domain.com => othersub.domain.com, so your TXT record would need to be othersub, not sub. This is in contrast to DKIM, which needs a separate TXT record for the public key, even if your subdomain is a CNAME.
Solution 3:
But note, as it says in the FAQ referenced in the accepted answer, that you can have wildcard SPFs for a domain for wildcard A or MX records. I have wildcard MX domains, and this works for me:
*.mydomain.org. 3600 IN TXT "v=spf1 ip4:IPADDR -all"
with IPADDR replaced with your IP address/range.
Solution 4:
No, but you can short-circuit them with the include:maindomain.invalid directive.
Solution 5:
*.mydomain.org. 3600 IN TXT "v=spf1 ip4:IPADDR -all"
as written above does not work if the spammer uses a subdomain that is already in dDNS. For example www.domain.com A A records foresides the wildcard in that case.