I have a main domain with (now) valid SPF record, but we also programmatically create lots and lots of subdomains for clients via cpanel PHPXML API. These subdomains are not intended to send any mail.
When we create them, they are getting an A record of my ip, and a TXT record of
"v=spf1 +a +mx +ip4:[MY IP] ?all". Those are all the DNS records they have
Recently we have had a lot of email spoofing and realized there was an invalid (duplicate SPF) for our main domain. We just fixed that, but are unsure if:
1) Can spammers still spoof email from subdomains without MX records, with above current listed SPF?
2) Is it better to have no SPF for subdomains than the one I have listed?
3) Is there a way to prevent subdomains from sending/spoofing email via my main domain's SPF?
Here is the main domain SPF that our host suggested we switch to:
"v=spf1 a mx ptr a:dedrelay.[webhost].com include:dedrelay.[webhost].com ~all"
Best Answer
Subdomains are not affected by the main domain's SPF record. If you have a bunch of subdomains that you know will never send mail, the best thing to do is to define an SPF record of
-allfor each of them. That way, the internet can also know that you intend them never to send email.Edit: if there is no SPF record in place for a subdomain, recipients who check SPF will see no SPF-related reason to block it.
Yes, SPF will do nothing to prevent someone accepting mail from a subdomain without an MX record. They might choose not to, but as long as it resolves - and sometimes even if it doesn't - they might choose to. That is not an SPF issue.
Your current SPF record will do nothing to prevent spoofing on your subdomains, because as I said, subdomains are not affected by the main domain's SPF record.
I'm sorry this will be a lot of work for you, but if you want to use SPF to advise recipients to reject emails from these subdomains, you will need to define SPF records for them. That's how the protocol works.