are TXT (SPF) records global for sub-domains?

I have a SPF record for my top-level domain, structuredweb.com. see "dig" outputs below. as part of our operations we send emails from swmail.structuredweb.com (64.14.55.140) in which the Return-Path is an address under "inbound.structuredweb.com". i have no SPF record for this sub-domain.  when i run dig for this sub-domain i get no answer.
however, when i look at the headers of a typical email, i see that google approves this sender, as if it's honoring the SPF record for the top-level domain.

Is there any standard here? can I assume SPF records affect sub-domains unless there is a specific record on the sub-domain? the last example shows "campaigns.structuredweb.com" for which i do have a specific SPF record.

1) ========== email header ===========
Received-SPF: pass (google.com: domain of
 XCAM_xxx@inbound.structuredweb.com designates 64.14.55.140 as
 permitted sender) client-ip=64.14.55.140

2) ===== dig for txt record of structuredweb.com ============
$ dig @dns025.b.register.com structuredweb.com txt
; <<>> DiG 9.3.3rc2 <<>> @dns025.b.register.com structuredweb.com txt
; (1 server found)
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 3276
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;structuredweb.com.             IN      TXT

;; ANSWER SECTION:
structuredweb.com.      14400   IN      TXT     "v=spf1 a:swmail01.structuredweb.com a:swmail.structuredweb.com include:aspmx.googlemail.com ?all"

;; Query time: 31 msec
;; SERVER: 216.21.232.25#53(216.21.232.25)
;; WHEN: Fri Mar 26 11:20:24 2010
;; MSG SIZE  rcvd: 144

3) ===== dig of inbound.structuredweb.com =============
$ dig @dns025.b.register.com inbound.structuredweb.com txt
; <<>> DiG 9.3.3rc2 <<>> @dns025.b.register.com inbound.structuredweb.com txt
; (1 server found)
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 53828
;; flags: qr aa rd; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0

;; QUESTION SECTION:
;inbound.structuredweb.com.     IN      TXT

;; AUTHORITY SECTION:
structuredweb.com.      14400   IN      SOA     dns174.a.register.com. root.register.com. 2009070226 28800 7200 604800 14400

4) ===== dig of campaigns.structuredweb.com =============
$ dig @dns025.b.register.com campaigns.structuredweb.com txt
; <<>> DiG 9.3.3rc2 <<>> @dns025.b.register.com campaigns.structuredweb.com txt
; (1 server found)
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 49336
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;campaigns.structuredweb.com.   IN      TXT

;; ANSWER SECTION:
campaigns.structuredweb.com. 14400 IN   TXT     "v=spf1 ip4:64.14.55.140/32 ip4:64.14.55.141/32 ?all"

;; Query time: 32 msec
;; SERVER: 216.21.232.25#53(216.21.232.25)
;; WHEN: Fri Mar 26 11:29:41 2010
;; MSG SIZE  rcvd: 109

LVL 1
structuredwebAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

shauncroucherCommented:
SPF deals with the envelope FROM, so if you are referring to this when you say 'Reply-To' then you will need to have an SPF TXT for the domain to the right of the email address to get a 'PASS' result.

So, if the envelope header is from swmail.xxxxx.com then that will need its own dedicated SPF.

A lack of SPF may also considering any mail items as a 'PASS' or 'unknown' depending on the software and semantics used.

Bottom line, no, the SPF for top level is not used for all subdomains.

Shaun
0
structuredwebAuthor Commented:
Shaun,

your answer matches what i would expect, but then how come google PASSes the SPF test for inbound.structuredweb.com without any SPF record created for this sub-domain? are you saying they use the top-level SPF definition, find a match, then apply it to this sub-domain?

i think i will create the definition for inbound.structuredweb.com just in case
0
shauncroucherCommented:
No, it shouldn't use the top-level SPF definition in my experience.

Can you post the header info?

Especially this bit: Received-SPF: pass (google.com: domain of noreply@experts-exchange.com designates 64.156.132.163 as permitted sender) client-ip=64.156.132.163
0
Introducing the "443 Security Simplified" Podcast

This new podcast puts you inside the minds of leading white-hat hackers and security researchers. Hosts Marc Laliberte and Corey Nachreiner turn complex security concepts into easily understood and actionable insights on the latest cyber security headlines and trends.

structuredwebAuthor Commented:
shaun,

the header info regarding the SPF was posted above in my original post. what is funny, i decided to add a specific TXT record for inbound.structredweb.com and it seems as far as google is concerned there is no difference! i'm going to keep the record as it cannot hurt and it is adviced policy.

header before setting TXT record for inbound.structuredweb.com (original post)
=============================================================
Received-SPF: pass (google.com: domain of
 XCAM_11523149377689@inbound.structuredweb.com designates 64.14.55.140 as
 permitted sender) client-ip=64.14.55.140;
Authentication-Results: mx.google.com; spf=pass (google.com: domain of
 XCAM_11523149377689@inbound.structuredweb.com designates 64.14.55.140 as
 permitted sender) smtp.mail=XCAM_11523149377689@inbound.structuredweb.com

header from new email after setting TXT record for inbond.structuredweb.com
=====================================================
Received-SPF: pass (google.com: domain of XCAM_11527319400880@inbound.structuredweb.com designates 64.14.55.140 as permitted sender) client-ip=64.14.55.140;
Authentication-Results: mx.google.com; spf=pass (google.com: domain of XCAM_11527319400880@inbound.structuredweb.com designates 64.14.55.140 as permitted sender) smtp.mail=XCAM_11527319400880@inbound.structuredweb.com
0
shauncroucherCommented:
That is a little odd, perhaps gmail will try further down the hierachy for SPF, but this isn't the way SPF was designed to operate so it may be a gmail specific setting.

In any case, think creating the TXT is a good idea, at least you know this will work for all other servers querying for SPF details.

Shaun
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
structuredwebAuthor Commented:
i created all neccesary TXT records for sub domains, we just agreed gmail follows his owb rules ...
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
DNS

From novice to tech pro — start learning today.