How to Implement a Wildcard SPF Record for All Subdomains: A Technical Guide for Developers


27 views

html

When managing email authentication for a domain with multiple subdomains, maintaining individual SPF (Sender Policy Framework) records for each subdomain becomes impractical. Many developers wonder if a wildcard TXT record can solve this problem universally.

While SPF doesn't natively support wildcards in the traditional sense, you can implement a solution using DNS wildcard TXT records. Here's how it works:

*.example.com. IN TXT "v=spf1 include:_spf.example.com -all"

The above record will apply to all subdomains, but there are important considerations:

  • The root domain still needs its own explicit SPF record
  • This method may cause issues with email forwarding services
  • Some email providers might treat wildcard SPF records differently

A more reliable approach is to create a centralized SPF record and include it in all subdomains:

; Main domain record
example.com. IN TXT "v=spf1 include:_spf.example.com -all"

; Subdomain records (can be generated programmatically)
sub1.example.com. IN TXT "v=spf1 include:_spf.example.com -all"
sub2.example.com. IN TXT "v=spf1 include:_spf.example.com -all"

For large infrastructures, consider automating SPF record deployment using DNS APIs. Here's a Python example using the Cloudflare API:

import requests

def update_spf_record(api_token, zone_id, subdomain, spf_value):
    headers = {
        "Authorization": f"Bearer {api_token}",
        "Content-Type": "application/json"
    }
    
    data = {
        "type": "TXT",
        "name": subdomain,
        "content": spf_value,
        "ttl": 3600
    }
    
    response = requests.post(
        f"https://api.cloudflare.com/client/v4/zones/{zone_id}/dns_records",
        headers=headers,
        json=data
    )
    
    return response.json()

# Example usage
update_spf_record(
    "your_api_token",
    "zone_id",
    "*.example.com",
    "v=spf1 include:_spf.example.com -all"
)

Always verify your SPF configuration using tools like:

  • dig TXT example.com
  • MXToolbox SPF Checker
  • Google Admin Toolbox

When managing email authentication for a domain with multiple subdomains, setting individual SPF (Sender Policy Framework) records for each subdomain can become tedious. A wildcard SPF record offers a scalable solution by applying the same SPF policy across all subdomains.

While DNS supports wildcard records (e.g., *.example.com), SPF has specific requirements. The SPF specification (RFC 7208) doesn't prohibit wildcards, but their behavior might not be what you expect:

; This WON'T work as you might expect
*.example.com. IN TXT "v=spf1 include:_spf.example.com ~all"

The above record would only match literal *.example.com queries, not actual subdomains. Instead, we need a different approach.

For comprehensive coverage, you have two main options:

Option 1: Inherit the Parent Domain's SPF

Most modern email systems will check the parent domain's SPF if no specific record exists for a subdomain. Simply ensure your main domain has a proper SPF record:

example.com. IN TXT "v=spf1 include:_spf.example.com ~all"

Option 2: Create Specific Subdomain Records

For subdomains with different email sending requirements, create explicit records:

mail.example.com. IN TXT "v=spf1 ip4:192.0.2.1 -all"
support.example.com. IN TXT "v=spf1 include:servers.mailprovider.com -all"

For large deployments, consider using DNS APIs to programmatically manage SPF records. Here's a Python example using the dnspython library:

import dns.resolver
import dns.update
import dns.query

def add_spf_record(domain, spf_string):
    update = dns.update.Update(domain)
    update.add('@', 300, 'TXT', spf_string)
    response = dns.query.tcp(update, 'ns1.example.com')
    return response

# Add SPF for multiple subdomains
subdomains = ['mail', 'support', 'newsletter']
base_spf = "v=spf1 include:_spf.example.com ~all"

for sub in subdomains:
    fqdn = f"{sub}.example.com"
    add_spf_record(fqdn, base_spf)

Always test your SPF configuration using tools like:

  • MXToolbox SPF Checker
  • Google's SPF Testing Tool
  • Command-line dig queries: dig TXT example.com

Remember that DNS changes can take time to propagate, and SPF has a 10-lookup limit for includes and redirects.

For most use cases, relying on the parent domain's SPF record is sufficient. Only create specific subdomain records when:

  • Subdomains use different email providers
  • You need stricter policies for certain subdomains
  • You're experiencing deliverability issues