You need to have separate SPF records for each subdomain you wish to send mail from.
The following was originally posted on openspf.org, which used to be a great resource for this kind of thing.
Latest link http://www.open-spf.org/FAQ/The_demon_question/
The Demon Question: What about subdomains?
If I get mail from
pielovers.demon.co.uk, and there's no SPF data for pielovers, should I
go back one level and test SPF for demon.co.uk? No. Each subdomain at
Demon is a different customer, and each customer might have their own
policy. It wouldn't make sense for Demon's policy to apply to all its
customers by default; if Demon wants to do that, it can set up SPF
records for each subdomain.
So the advice to SPF publishers is this: you should add an SPF record
for each subdomain or hostname that has an A or MX record.
Sites with wildcard A or MX records should also have a wildcard SPF
record, of the form: * IN TXT "v=spf1 -all"
This makes sense - a subdomain may very well be in a different geographical location and have a very different SPF definition.
The 'include:' directive for SPF may be used to provide all subdomains with the same entries. For example, on the SPF record for subdomain mailfrom.example.com enter 'include:example.com'. In this fashion whenever you update the definition for example.com your subdomains will automatically pick up the updated values.
SPF records detail which servers are allowed to send mail for your domain.
Questions 1-3 really summarise the whole point of SPF: You're supposed to be listing the addresses of all the servers that are authorised to send mail coming from your domain.
If you don't have an exhaustive list at this time, it's generally not a good idea to set up an SPF record. Also a domain can only have one SPF record, so you'll need to combine all the information into a single record.
The individual questions really just help break the list down for you.
- asks you for other domains whose mail servers may relay mail from you; if you have eg a secondary MX server at mail-relay.example.org, and that is the main mail server (MX record) for the domain
example.org, then you should enter mx:example.org. Your SPF record should include your own domain's MX record under nearly all circumstances (mx).
- asks you for your ip netblocks. If you have colocated servers at 1.2.3.0/28, and your office address space is 6.7.8.0/22, enter
ip4:1.2.3.0/28 ip4:6.7.8.0/22. IPv6 space should be added as eg ip6:2a01:9900:0:4::/64.
- if (eg) you also have a machine off in someone else's office that has to be allowed to send mail from your domain, enter that as well, with eg
a:mail.remote.example.com.
Your mobile phone users are problematic. If they send email by connecting to your mail server using eg SMTP AUTH, and sending through that server, then you've dealt with them by listing the mail server's address in (2). If they send email by just connecting to whatever mail server the 3G/HSDPA provider's offering, then you can't do SPF meaningfully until you have rearchitected your email infrastructure so that you do control every point from which email purporting to be from you hits the internet.
Question 4 is a bit different, and asks what recipients should do with email that claims to be from your domain that doesn't come from one of the systems listed above. There are several legal responses, but the only interesting ones are ~all (soft fail) and -all (hard fail). ?all (no answer) is as useless as ~all (qv), and +all is an abomination.
~all is the simple choice; it tells people that you've listed a bunch of systems who are authorized to send mail from you, but that you're not committing to that list being exhaustive, so mail from your domain coming from other systems might still be legal. I urge you not to do that. Not only does it make SPF completely pointless, but some mail admins on SF deliberately configure their SPF receivers to treat ~all as the badge of a spammer. If you're not going to do -all, don't bother with SPF at all.
-all is the useful choice; it tells people that you've listed the systems that are allowed to send email from you, and that no other system is authorized to do so, so they are OK to reject emails from systems not listed in your SPF record. This is the point of SPF, but you have to be sure that you have listed all the hosts that are authorized to originate or relay mail from you before you activate it.
Google is known to advise that
Publishing an SPF record that uses -all instead of ~all may result in
delivery problems.
well, yes, it may; that is the whole point of SPF. We cannot know for sure why google gives this advice, but I strongly suspect that it's to prevent sysadmins who don't know exactly whence their email originates from causing themselves delivery problems. If you don't know where all your email comes from, don't use SPF. If you're going use SPF, list all the places it comes from, and tell the world you're confident in that list, with -all.
Note that none of this is binding on a recipient's server; the fact that you advertise an SPF record in no way obliges anyone else to honour it. It is up to the admins of any given mail server what email they choose to accept or reject. What I think SPF does do is allow you to disclaim any further responsibility for email that claimed to be from your domain, but wasn't. Any mail admin coming to you complaining that your domain is sending them spam when they haven't bothered to check the SPF record you advertise that would have told them that the email should be rejected can fairly be sent away with a flea in their ear.
Since this answer has been canonicalised, I'd better say a few words about include and redirect. The latter is simpler; if your SPF record, say for example.com, says redirect=example.org, then example.org's SPF record replaces your own. example.org is also substituted for your domain in those look-ups (eg, if example.org's record includes the mx mechanism, the MX lookup should be done on example.org, not on your own domain).
include is widely misunderstood, and as the standard's authors note "the name 'include' was poorly chosen". If your SPF record includes example.org's record, then example.org's record should be examined by a recipient to see if it gives any reason (including +all) to accept your email. If it does, your mail should pass. If it doesn't, the recipient should continue to process your SPF record until landing on your all mechanism. Thus, -all, or indeed any other use of all except +all, in an included record, has no effect on the result of processing.
For more information on SPF records http://www.openspf.org is an excellent resource.
Please don't take this the wrong way, but if you get an SPF record wrong, you can stop a significant fraction of the internet from receiving email from you until you fix it. Your questions suggest you might not be completely au fait with what you're doing, and if that's the case, then you might want to consider getting professional assistance before you do something that stops you sending email to an awful lot of people.
Edit: thank you for your kind words, they're much appreciated.
SPF is primarily a technique to prevent joe-jobbing, but some people seem to have started to use it to try to detect spam. Some of those may indeed attach a negative value to your having no SPF record at all, or an overbroad record (eg a:3.4.5.6/2 a:77.5.6.7/2 a:133.56.67.78/2 a:203.54.32.1/2, which rather sneakily equates to +all), but that's up to them and there's not much you can do about it.
I personally think SPF is a good thing, and you should advertise a record if your current mail structure permits it, but it's very difficult to give an authoritative answer, valid for the entire internet, about how people are using a DNS record designed for a specific purpose, when they decide to use it for a different purpose. All I can say with certainty is that if you do advertise an SPF record with a policy of -all, and you get it wrong, a lot of people will never see your mail.
Edit 2: deleted pursuant to comments, and to keep the answer up-to-date.
Best Answer
Note: There's some opinionated ranting in this. You're free to ignore it :)
Ok, this is email we're talking about, so we should start by saying there is simply no way to guarantee deliverability of a message. SMTP was devised in a quieter, more trusting time. Since then, many people have implemented what they see as the final solution to spam, only to be amazed that it hasn't worked; or that the spammers have figured out how to defeat it; or that it relies on everyone having done it to be effective. (or dozens of other reasons). What we have now is mess of balkanized systems and half-implemented ideas that mean that it's practically impossible to ensure your message will get through.
My opinion is that most of the best practice should be centred around receiving email, rather than sending it. As as sender, it's not your job to ensure it meets whatever random measures the recipient has in place. It's their job to ensure their filtering doesn't block legitimate mail based on assumptions about what a mail message should look like; many of which don't take full account of the interesting ways in which mail can be routed and delivered.
In principal, no. There are many legitimate reasons why an MTA will send mail from addresses that have nothing to do with its own domain. You might come across systems that reject your mail for this reason, but this is not your problem. It doesn't hurt to have your PTR records match your domain and for the HELO announcement to match those, at least at the TLD; but anything that rejects purely because the
From:domain doesn't match the PTR TLD is broken.SPF records are another of these "it sounds right in principal" ideas (See here for another rant on that subject) that has gained a lot of weight. The main problem for me is that a lot of MTAs unfairly punish domains that simply don't publish any SPF at all. Again, this is not your problem.
That said, I've put one in place for our domains, because it's not done to get mardy with customer sysadmins too frequently. It ends up being a political decision, rather than a technical one.
If you're going to use SPF and leave your PTR and HELO as
abc.def.linode.com; then the SPF record for all of yourFrom:domains should list that server as a sender. If you don't have control overfoo.comandbar.comDNS, then you'll have to talk to someone who does.and neither should you have. If you publish SPF at all and the
linode.comseerver isn't listed, then you'll get bounced a lot. However, if you have listed it, or ifexample.comdoesn't publish any SPF records at all, then you should be fine. (I repeat my earlier point that MTAs rejecting mail because there's no SPF published at all are broken and probably bouncing a lot of legitimate mail).