are TXT (SPF) records global for sub-domains?

I have a SPF record for my top-level domain, structuredweb.com. see "dig" outputs below. as part of our operations we send emails from swmail.structuredweb.com (64.14.55.140) in which the Return-Path is an address under "inbound.structuredweb.com". i have no SPF record for this sub-domain.  when i run dig for this sub-domain i get no answer.
however, when i look at the headers of a typical email, i see that google approves this sender, as if it's honoring the SPF record for the top-level domain.

Is there any standard here? can I assume SPF records affect sub-domains unless there is a specific record on the sub-domain? the last example shows "campaigns.structuredweb.com" for which i do have a specific SPF record.

1) ========== email header ===========
Received-SPF: pass (google.com: domain of
 XCAM_xxx@inbound.structuredweb.com designates 64.14.55.140 as
 permitted sender) client-ip=64.14.55.140

2) ===== dig for txt record of structuredweb.com ============
$ dig @dns025.b.register.com structuredweb.com txt
; <<>> DiG 9.3.3rc2 <<>> @dns025.b.register.com structuredweb.com txt
; (1 server found)
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 3276
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;structuredweb.com.             IN      TXT

;; ANSWER SECTION:
structuredweb.com.      14400   IN      TXT     "v=spf1 a:swmail01.structuredweb.com a:swmail.structuredweb.com include:aspmx.googlemail.com ?all"

;; Query time: 31 msec
;; SERVER: 216.21.232.25#53(216.21.232.25)
;; WHEN: Fri Mar 26 11:20:24 2010
;; MSG SIZE  rcvd: 144

3) ===== dig of inbound.structuredweb.com =============
$ dig @dns025.b.register.com inbound.structuredweb.com txt
; <<>> DiG 9.3.3rc2 <<>> @dns025.b.register.com inbound.structuredweb.com txt
; (1 server found)
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 53828
;; flags: qr aa rd; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0

;; QUESTION SECTION:
;inbound.structuredweb.com.     IN      TXT

;; AUTHORITY SECTION:
structuredweb.com.      14400   IN      SOA     dns174.a.register.com. root.register.com. 2009070226 28800 7200 604800 14400

4) ===== dig of campaigns.structuredweb.com =============
$ dig @dns025.b.register.com campaigns.structuredweb.com txt
; <<>> DiG 9.3.3rc2 <<>> @dns025.b.register.com campaigns.structuredweb.com txt
; (1 server found)
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 49336
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;campaigns.structuredweb.com.   IN      TXT

;; ANSWER SECTION:
campaigns.structuredweb.com. 14400 IN   TXT     "v=spf1 ip4:64.14.55.140/32 ip4:64.14.55.141/32 ?all"

;; Query time: 32 msec
;; SERVER: 216.21.232.25#53(216.21.232.25)
;; WHEN: Fri Mar 26 11:29:41 2010
;; MSG SIZE  rcvd: 109

LVL 1
structuredwebAsked:
Who is Participating?
 
shauncroucherConnect With a Mentor Commented:
That is a little odd, perhaps gmail will try further down the hierachy for SPF, but this isn't the way SPF was designed to operate so it may be a gmail specific setting.

In any case, think creating the TXT is a good idea, at least you know this will work for all other servers querying for SPF details.

Shaun
0
 
shauncroucherCommented:
SPF deals with the envelope FROM, so if you are referring to this when you say 'Reply-To' then you will need to have an SPF TXT for the domain to the right of the email address to get a 'PASS' result.

So, if the envelope header is from swmail.xxxxx.com then that will need its own dedicated SPF.

A lack of SPF may also considering any mail items as a 'PASS' or 'unknown' depending on the software and semantics used.

Bottom line, no, the SPF for top level is not used for all subdomains.

Shaun
0
 
structuredwebAuthor Commented:
Shaun,

your answer matches what i would expect, but then how come google PASSes the SPF test for inbound.structuredweb.com without any SPF record created for this sub-domain? are you saying they use the top-level SPF definition, find a match, then apply it to this sub-domain?

i think i will create the definition for inbound.structuredweb.com just in case
0
Evaluating UTMs? Here's what you need to know!

Evaluating a UTM appliance and vendor can prove to be an overwhelming exercise.  How can you make sure that you're getting the security that your organization needs without breaking the bank? Check out our UTM Buyer's Guide for more information on what you should be looking for!

 
shauncroucherCommented:
No, it shouldn't use the top-level SPF definition in my experience.

Can you post the header info?

Especially this bit: Received-SPF: pass (google.com: domain of noreply@experts-exchange.com designates 64.156.132.163 as permitted sender) client-ip=64.156.132.163
0
 
structuredwebAuthor Commented:
shaun,

the header info regarding the SPF was posted above in my original post. what is funny, i decided to add a specific TXT record for inbound.structredweb.com and it seems as far as google is concerned there is no difference! i'm going to keep the record as it cannot hurt and it is adviced policy.

header before setting TXT record for inbound.structuredweb.com (original post)
=============================================================
Received-SPF: pass (google.com: domain of
 XCAM_11523149377689@inbound.structuredweb.com designates 64.14.55.140 as
 permitted sender) client-ip=64.14.55.140;
Authentication-Results: mx.google.com; spf=pass (google.com: domain of
 XCAM_11523149377689@inbound.structuredweb.com designates 64.14.55.140 as
 permitted sender) smtp.mail=XCAM_11523149377689@inbound.structuredweb.com

header from new email after setting TXT record for inbond.structuredweb.com
=====================================================
Received-SPF: pass (google.com: domain of XCAM_11527319400880@inbound.structuredweb.com designates 64.14.55.140 as permitted sender) client-ip=64.14.55.140;
Authentication-Results: mx.google.com; spf=pass (google.com: domain of XCAM_11527319400880@inbound.structuredweb.com designates 64.14.55.140 as permitted sender) smtp.mail=XCAM_11527319400880@inbound.structuredweb.com
0
 
structuredwebAuthor Commented:
i created all neccesary TXT records for sub domains, we just agreed gmail follows his owb rules ...
0
All Courses

From novice to tech pro — start learning today.