I recently got some advice from a colleague at ncsc.gov.uk about some DNS concerns, and I'm trying to clarify the rules around SPF records for my subdomains. We have several A records registered with GoDaddy, but these subdomains are primarily just redirects (like mail.contoso.com leading to Gmail). NCSC has flagged some of these subdomains for lacking SPF records, and it's also mentioned they don't have MX records since they aren't set up for sending or receiving any email. I'm not fully clear on whether I should take action on these warnings or if it's acceptable to ignore them since they don't actually handle mail. What's the general consensus on this?
5 Answers
I’d recommend setting a wildcard SPF record for your subdomains, like `*.domain.com v=spf1 -all`. This effectively tells receivers that no one is authorized to send mail from these subdomains. You should also have a DMARC policy in place with a strict rejection for any unauthorized mail.
Yes, you’ll want that consistent SPF across your A and AAAA records. Just make sure to include any necessary records like the mta-sts one as well.
Honestly, you can probably ignore the warnings if these subdomains are not supposed to send mail. Even NCSC doesn’t have SPF or MX records for their domain, which is somewhat ironic. Just make sure your main domain is staying compliant.
Technically, you don’t NEED SPF records for subdomains that don’t send emails. If you don’t set anything, your DMARC policy should cover the subdomains as well. But adding a blanket `v=spf1 -all` record can help prevent spoofing if you're concerned about that.
Exactly! SPF is well-established. If mail servers accept mails from a domain without an SPF record, that's on them. No need to go overboard with records for every potential subdomain.
It's usually a good idea to set up SPF and DMARC records, even for subdomains that don't send mail. This way, you're indicating that nothing is authorized to send mail from those subdomains, helping avoid unauthorized use. You can find more info about this [here](https://www.cloudflare.com/learning/dns/dns-records/protect-domains-without-email/).
Just to confirm, we already have SPF and DMARC set up on the primary domain. It's just the subdomains I'm unsure about.
It’s crucial to have a reject DMARC policy that applies to your root domain and subdomains. If a subdomain doesn’t have an SPF or DKIM record, emails sent from it will get rejected, which is what you usually want if that subdomain isn't supposed to send mail.
So, just to clarify, should I create TXT records for every subdomain with the same SPF value I plan to use?