It’s common for businesses to have multiple subdomains, but what about their security? While some domain owners completely ignore securing their subdomains, some subject them to the SPF policy of the parent domain. Yes, the latter is definitely better than the former, but even that doesn’t promise robust defense against phishing, spoofing, and ransomware attacks attempted by exploiting your domain.
Moreover, there are some drawbacks if subdomains inherit the SPF policy of the parent domain. This blog discusses what these drawbacks are, convincing you to build separate SPF records for all your domains and subdomains.
Primary reasons
1. Different email-sending sources
Subdomains are usually dedicated to different operations of an organization or separate entities within an organization with their own email infrastructure. So, inheriting the SPF record of the main domain can negatively impact authorized email sources that aren’t linked with the subdomain.
Whereas if each subdomain has an independent SPF record, the domain owner has granular control. This ensures they have precise control over email-sending sources, minimizing security gaps.
2. SPF record size issues
SPF records have a 255-character limit per DNS TXT record and a 512-byte limit for DNS responses. If a main domain has a complex SPF record, inheriting it across multiple subdomains could lead to lengthy SPF records, increasing the risk of exceeding these limits.
Such SPF records also require more DNS lookups, exceeding the maximum of 10. If an SPF record exceeds this limit, it becomes invalid, and no authentication checks occur.
3. Security considerations
If a subdomain inherits the main domain’s SPF record that is overly permissive, then there is a possibility that it inadvertently authorizes mail servers that you should not trust for that subdomain. Moreover, in conditions where a subdomain is used by a different business unit or partner, sharing or inheriting SPF records opens more avenues for cyber breaches.
4. DMARC alignment
DMARC works efficiently only when the SPF record aligns with the ‘From’ address of the email sent from your domain. Different subdomains may have different DMARC policies, so inheriting the main domain’s SPF record might lead to alignment issues, reducing the effectiveness of DMARC.
5. Operational flexibility
Different subdomains may require different email policies, especially in large organizations with diverse email needs. Independent SPF records allow for flexibility and customization in email authentication policies, ensuring that each subdomain operates according to its specific requirements.
For example, for a subdomain dedicated to the finance department, you can’t afford an email-based breach, and that’s why you need to set your SPF record to p=reject. Whereas, for the customer support subdomain, you can’t use the strictest policy (p=reject) because you still want your messages to reach the recipients’ inboxes, even if they sit in the spam folder in case of false positives.
What you should do instead
Create individual SPF records for all the domains and subdomains you own, ensuring they are configured to fulfill specific needs. Also, while you adjust SPF, remember to align it with DMARC policy so that there are no conflicts and contradictions.
Optimize SPF records to avoid excessive DNS lookups and stay within the 10-lookup limit. This can involve consolidating IP ranges or removing outdated or unnecessary entries. You can also use our automatic SPF flattening tool to sort this issue. Please reach out to us to learn more.