Why does EMP recommend subdomain segmentation over SPF flattening?

Flattening replaces include mechanisms with the IP addresses they currently resolve to. The fix is immediate but ESP IP ranges change without notice; the flattened record becomes stale within weeks. Subdomain segmentation routes each ESP to its own subdomain with the apex domain reserved for internal mail. Each subdomain carries its own 10-lookup budget, the budget never compounds across services, and operational maintenance reduces to annual reviews. dmarcian published the subdomain-vs-flattening analysis and the EMP recommendation follows their guidance.

How does DKIM selector rotation work and what is the cadence?

M3AAWG recommends DKIM key rotation every 6 months as baseline. The procedure: generate a new key pair with a versioned selector name, publish the new public key in DNS, wait 24-48 hours for propagation, switch the signing service to the new private key, observe DMARC reports for clean alignment on the new selector for 7-14 days, deprecate the old selector. Critical rule: never reuse a selector name after deleting its key. EMP delivers a 12-month or 24-month rotation calendar with selector names, dates, and procedures.

Will this break our existing email while we make changes?

The SPF and DKIM changes are designed to be non-disruptive when executed in the right order. DKIM additions are additive: new selectors are published in DNS before the signing service starts using them. SPF changes do carry risk if the subdomain segmentation removes a previously-authorized sender before that sender is moved to the subdomain; the migration sequence avoids this by publishing the new subdomain SPF first, switching senders, then removing the apex SPF authorization. Total elapsed time during which both paths are valid is 24-72 hours per migration step. No customer in EMP 2024-2026 SPF DKIM engagement history has experienced a delivery outage during migration.

How long does the setup take and what is the timeline?

Single ESP environment: 5 to 7 business days. Multi-ESP environment with 3-5 sources: 10 to 14 business days. Enterprise multi-domain: 21 to 30 calendar days. The largest variable is access to DNS and ESP dashboards; with read-write access on day 1 the timelines compress by 2-3 days. Phases in order: discovery and inventory, SPF strategy and segmentation design, DKIM key generation and selector publication, DNS propagation and seed testing, ESP cutover for Multi-ESP and Enterprise tiers, validation and monitoring setup. The 30-day post-deployment monitoring runs in parallel with subsequent customer work.

RFC 7208 · RFC 6376 · RFC 8301 · M3AAWG rotation discipline

Clean SPF, valid DKIM. Before DMARC enforcement turns into incident response.

The two foundational mechanisms most often cause the DMARC enforcement migration to fail. SPF records exceeding the 10 DNS lookup limit defined in RFC 7208 section 4.6.4 produce permerror outcomes that fail authentication for every email at the domain, not just the emails from the extra ESP added last. DKIM signing on a nonexistent selector produces alignment failures that pass through unnoticed at p=none and become quarantine or reject events the moment the policy moves to enforcement. Programs sending across Google Workspace, Microsoft 365, SendGrid, Mailchimp, and a handful of CRM and helpdesk integrations commonly hit 9 to 12 lookups against the cumulative 10-budget without any visible warning. The service inventories every legitimate sending source, applies the dmarcian-recommended subdomain segmentation strategy rather than the more fragile flattening approach, deploys DKIM at 2048-bit RSA with rsa-sha256 following RFC 8301 minimums, publishes versioned selectors following M3AAWG rotation conventions, and delivers a 12 to 24 month rotation calendar the operations team can execute without external dependency. The deliverable also includes the sender inventory document which is one of the highest-value artifacts because most organizations have not documented their complete sending surface.

10DNS lookup limit

RFC 7208 sec 4.6.4

2048DKIM bit minimum

RFC 8301 mandate

6morotation cadence

M3AAWG best practice

3-4ESPs to hit ceiling

Common 2026 pattern

Start setup See the 10-lookup math

SPF and DKIM at a glance · different mechanisms · both required

Two foundational mechanisms. Each solves a different problem.

SPF answers the question: which servers are authorized to send mail from this domain. DKIM answers a different question: was this specific message signed by the domain's private key and not modified in transit. DMARC enforcement requires both to pass and align with the From domain. Most authentication setup failures trace to misunderstanding which mechanism handles which concern; SPF cannot survive forwarding because the envelope sender changes, DKIM cannot cover servers that send unsigned mail, neither covers the From address without alignment.

Mechanism 01

SPF

RFC 7208 · Sender Policy Framework

Declares the authorized sending sources for the domain. Checks the envelope MAIL FROM domain against published IPs and include chains; passes when the connecting IP matches.

Where published: TXT record at the apex domain
What it checks: envelope MAIL FROM domain vs IP
Hard limit: 10 DNS lookups per evaluation
Void limit: 2 lookups returning NXDOMAIN
Survives forwarding: no, envelope changes
Mechanisms cost: include, a, mx, ptr, exists, redirect
Mechanisms free: ip4, ip6, all (no DNS lookup)

Mechanism 02

DKIM

RFC 6376 · RFC 8301 · DomainKeys Identified Mail

Cryptographically signs message headers and body with a private key. The receiving server fetches the public key from DNS and verifies the signature; passes when the signature is valid and the headers were not modified.

Where published: TXT at selector._domainkey subdomain
What it checks: cryptographic signature on headers and body
Key length: 2048-bit RSA minimum (RFC 8301)
Algorithm: rsa-sha256 standard
Survives forwarding: yes, signature travels with message
Selector rotation: 6 months per M3AAWG
Per-service selectors: yes, isolation and diagnostics

The two mechanisms complement each other rather than overlap. DMARC enforcement requires SPF or DKIM to pass with alignment to the From domain, which means a single passing mechanism is sufficient at the technical level. In practice the recommendation is to operate both because the failure modes differ: SPF breaks during forwarding (mailing lists, automatic forwards, shared inbox setups) where DKIM survives intact; DKIM breaks when message content is modified by intermediate gateways (signature footers added, character set conversions) where SPF still passes because the envelope is unchanged. Operating both gives the program two independent paths to alignment and the DMARC pass rate stays high even when one mechanism fails on a particular message.

The 10 DNS lookup ceiling · how it breaks · why subdomains beat flattening

The math of the 10-lookup ceiling.

The cumulative DNS lookup budget is the most common preventable SPF failure in 2026. The visualization below maps a typical multi-ESP setup against the hard ceiling. Once the cumulative count crosses 10, the result is permerror and SPF fails for every email at the domain, not just the emails routed through the over-budget ESP.

Common 2026 multi-ESP scenario · cumulative cost

Google Workspace + Microsoft 365 + SendGrid + Mailchimp = 12 lookups

Exceeds the RFC 7208 ceiling by 2 · result: SPF permerror

12 / 10 over budget

The breakdown: include:_spf.google.com costs 4 lookups (1 for the include plus 3 for the netblocks Google references internally), include:spf.protection.outlook.com costs 3 lookups, include:sendgrid.net costs 3 lookups, include:servers.mcsv.net (Mailchimp) costs 2 lookups. Total 12 against the 10-lookup ceiling. The receiving providers see this as SPF permerror and treat all email from the domain as authentication-failed. The subdomain segmentation remediation routes each ESP to its own subdomain with an independent 10-lookup budget so the budget never compounds across services.

Sample sender inventory from a real EMP assessment

Sending source	Category	SPF lookups	Status before EMP
Google Workspace corp.example.com	Corporate mail	4 lookups	OK on subdomain
SendGrid transactional sender	Transactional	3 lookups	Apex include · over budget
Mailchimp marketing sender	Marketing automation	2 lookups	Apex include · over budget
HubSpot crm.example.com	CRM sequences	2 lookups	DKIM at 1024-bit
Freshdesk support sender	Helpdesk	2 lookups	Selector never rotated
Stripe third-party billing	Transactional vendor	1 lookup	Vendor managed
Former employee SendGrid unauthorized	Orphan account	3 lookups	To be terminated
Internal mail server apex example.com	Internal SMTP	0 lookups (ip4)	OK

The orphan SendGrid account on row 7 is the type of finding that surfaces consistently in EMP assessments. The previous employee provisioned a SendGrid account against a corporate credit card, configured the SPF include on the apex, and left the organization without removing the configuration. The account is still active, still consuming 3 lookups against the budget, and still capable of sending email signed as the customer domain if the credentials were captured. The inventory phase identifies these orphan accounts as the highest-priority remediation items because they combine two risks: contributing to the lookup budget exhaustion and presenting an active attack surface that the customer security team had not been monitoring.

Two additional patterns appear in the inventory data with sufficient frequency to call out. First, the 1024-bit DKIM finding on row 4 traces to HubSpot domains configured before 2022 when the platform defaulted to 1024-bit; HubSpot now offers 2048-bit selectors but the upgrade is not automatic and requires customer-initiated rotation in the dashboard. Second, the unrotated Freshdesk selector on row 5 traces to the initial Freshdesk setup which uses a selector name that the customer team never changed. The EMP rotation calendar schedules both upgrades and rotations across the engagement window.

DNS records that get published · subdomain segmentation in action

What the DNS zone looks like after EMP.

The before-and-after DNS zone fragments below show the difference between the over-budget apex configuration and the subdomain-segmented setup that EMP publishes. Each subdomain carries its own 10-lookup budget and the apex domain reserves a minimal record for internal mail.

Before · apex domain over budget 12 lookups · permerror

# example.com TXT (apex domain · single SPF record)
example.com.  3600  IN  TXT  "v=spf1 include:_spf.google.com include:spf.protection.outlook.com include:sendgrid.net include:servers.mcsv.net include:_spf.hubspot.com include:freshdesk.com -all"

# Cumulative cost: 4 + 3 + 3 + 2 + 2 + 2 = 16 lookups
# Result at receivers: SPF permerror across all email from example.com

After · subdomain segmentation budget per subdomain · all green

# example.com TXT (apex · internal mail only)
example.com.  3600  IN  TXT  "v=spf1 ip4:203.0.113.10 ip4:203.0.113.11 -all"

# corp.example.com TXT (Google Workspace)
corp.example.com.  3600  IN  TXT  "v=spf1 include:_spf.google.com -all"

# trans.example.com TXT (SendGrid transactional)
trans.example.com.  3600  IN  TXT  "v=spf1 include:sendgrid.net -all"

# marketing.example.com TXT (Mailchimp)
marketing.example.com.  3600  IN  TXT  "v=spf1 include:servers.mcsv.net -all"

# crm.example.com TXT (HubSpot)
crm.example.com.  3600  IN  TXT  "v=spf1 include:_spf.hubspot.com -all"

# support.example.com TXT (Freshdesk)
support.example.com.  3600  IN  TXT  "v=spf1 include:freshdesk.com -all"

# Each subdomain has its own 10-lookup budget
# Cumulative cost never compounds across services

DKIM · versioned selectors per service 2048-bit RSA · rsa-sha256

# Google Workspace selector
google-2026q3._domainkey.corp.example.com.  3600  IN  TXT  "v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA..."

# SendGrid selector (SendGrid uses sg-prefixed by convention)
sg-2026q3._domainkey.trans.example.com.  3600  IN  TXT  "v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQ..."

# Mailchimp selector (Mailchimp uses k1, k2, k3 conventions)
k1._domainkey.marketing.example.com.  3600  IN  TXT  "v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC..."

# Next rotation cycle published in advance (Q1 2027)
google-2027q1._domainkey.corp.example.com.  3600  IN  TXT  "v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA..."

# Rotation rule: never reuse selector names after deletion
# Older messages signed with deleted selectors fail verification

The setup process · five phases · 5 to 30 business days depending on tier

How the implementation runs end-to-end.

The phases run sequentially with the largest variable being DNS and ESP access. With read-write access provided on day 1 the timelines compress by 2-3 days. Without access the discovery phase extends to gather credentials and validate authority before any DNS changes are proposed.

Phase 01

Day 1-3

Discovery + inventory

Bilateral NDA, sender inventory across marketing, transactional, CRM, helpdesk, internal mail, third-party vendors. Orphan account identification.

Phase 02

Day 3-5

SPF strategy

Subdomain segmentation design per dmarcian, lookup budget validation per subdomain, void lookup audit, apex SPF minimization.

Phase 03

Day 5-7

DKIM keys

2048-bit RSA key generation per service, versioned selector naming, DNS TXT publication, ESP signing configuration.

Phase 04

Day 7-11

Cutover

ESP From address migration to subdomain, propagation wait, seed testing across Gmail, Yahoo, Microsoft, Apple Mail, alignment validation.

Phase 05

Day 11-14

Monitoring

DMARC aggregate report monitoring 30 days, rotation calendar handoff, documentation, optional DMARC enforcement migration starts.

Transparent pricing · four SPF DKIM tiers

From single ESP to enterprise multi-domain.

All four tiers are fixed-fee with no hourly billing. The DMARC push combined tier resolves both the foundational authentication and the policy enforcement in a single engagement at a discount versus running the two engagements separately.

Single ESP

One ESP + internal · 5-7 days.

$1,450 USD fixed

SPF inventory + publication
DKIM 2048-bit + selector
Alignment validation Gmail + Microsoft
30-day post-deployment monitoring
12-month rotation calendar
Documentation handoff

Start Single ESP

Multi ESP

Up to 5 sources · best fit most.

$2,900 USD fixed

Subdomain segmentation per dmarcian
Per-source DKIM keys + selectors
Full alignment audit 4 providers
30-day monitoring
12-month rotation calendar
10-14 business day delivery

Start Multi ESP

Enterprise

Multi-domain · platform.

$5,800 USD fixed

Multi-tenant subdomain strategy
DKIM inventory all signing surfaces
Alignment 5 providers + ProtonMail
60-day monitoring + weekly check-ins
24-month rotation calendar
21-30 calendar day delivery

Discuss Enterprise

Plus DMARC Push

Combined SPF + DKIM + DMARC.

$4,400 USD fixed

Multi ESP setup included
30-day DMARC aggregate parsing
Policy ramp 25 / 50 / 100 percent
Full enforcement migration
Unauthorized sender identification
Saves $850 vs running separately

Start combined

What the email engineer, CTO, and marketing ops ask

The real questions before signing the SPF DKIM SOW.

"Can we just flatten the SPF record instead of using subdomains?"

Flattening works but the operational tradeoffs are significant. ESP IP ranges change without notice; SendGrid adds new ranges, Google rotates netblocks, the flattened record becomes stale within weeks. The choice is between paying for an automated re-flattening service that runs continuously or accepting silent SPF degradation. Subdomain segmentation routes each ESP to its own subdomain (marketing.example.com via Mailchimp, transactional.example.com via SendGrid) and each subdomain carries its own 10-lookup budget. dmarcian published the subdomain-vs-flattening analysis and Tim Draegen, DMARC coauthor, recommends subdomain segmentation explicitly. Flattening remains the right answer when subdomain segmentation is structurally unavailable, typically because the customer brand requires the apex domain for all marketing-facing email; in those cases EMP deploys flattening with an automated refresh service.

"Our DKIM is at 1024-bit and has been working fine. Why upgrade?"

RFC 8301 mandates 2048-bit minimum for senders. Gmail and Yahoo now explicitly prefer 2048-bit and may downgrade reputation signals for 1024-bit senders, which means the 1024-bit key works in the sense that DKIM verifies but the overall sender reputation carries a structural downgrade. 1024-bit RSA keys are at the edge of current computational attack capability; M3AAWG considers 2048-bit immune to brute-force in today's environment. The upgrade is straightforward with the rotation procedure: generate the new 2048-bit key, publish in DNS under a new selector, switch the signing service after propagation, deprecate the 1024-bit key. The transition happens without any visible delivery impact when executed in the right order. Customers with 1024-bit keys deployed years ago typically have several other authentication hygiene gaps that the inventory phase surfaces; the upgrade is rarely the only finding.

"How do we discover unauthorized senders during the inventory?"

The inventory uses three data sources to construct the complete sending surface. First, 30-60 days of DMARC aggregate reports parsed for every IP that has attempted to send as the domain; legitimate sources show up in volume, illegitimate sources show up as small-volume tails. Second, customer interviews with marketing operations, sales operations, customer success, and IT to identify SaaS tools deployed by individual teams; this captures the long tail of tools that send transactional email (DocuSign, Calendly, scheduling tools, payment processors). Third, vendor contract review against finance records to identify former employee accounts and deprecated services that still hold active sending credentials. The output is the sender inventory document which the customer security team uses as the authoritative list going forward. Common findings: 3-7 orphan accounts in mid-size organizations, 10-25 in enterprise.

"What is the relationship between this engagement and DMARC enforcement?"

SPF DKIM setup is the prerequisite for DMARC enforcement. DMARC defines the policy (none, quarantine, reject) and the alignment requirement (the From domain must match the SPF or DKIM domain). If SPF is in permerror or DKIM signing is broken, moving DMARC from p=none to enforcement creates immediate delivery failures for legitimate email. The SPF DKIM Multi ESP engagement followed by DMARC Push is the recommended sequence for organizations not yet at enforcement; the combined Plus DMARC Push tier runs both phases in a single engagement at a discount. Organizations already at enforcement with degraded authentication face a different remediation: SPF DKIM cleanup must execute without disrupting the enforcement that is already in place, which constrains the migration to additive changes only and is operationally more complex.

"Why does EMP recommend separate DKIM keys per service instead of one?"

Three reasons. Isolation: if a private key is compromised at one service (SendGrid breach, employee laptop stolen with Mailchimp credentials cached), the exposure is contained to that service rather than the whole signing surface. Independent rotation: each service rotates on its own schedule without coordination overhead; some ESPs require advance notice for selector changes that would otherwise force the rotation of all services in lockstep. Diagnostics: DMARC aggregate reports identify the source of signing problems by selector, so a DKIM failure from Mailchimp shows up in reports as the Mailchimp selector failing rather than as a generic domain failure. The selector naming convention follows the M3AAWG pattern: google-2026q3._domainkey for Google Workspace, sg-2026q3._domainkey for SendGrid, k1._domainkey for Mailchimp (Mailchimp uses k1, k2, k3 selectors by convention), freshdesk-2026q3._domainkey for Freshdesk.

"What if we discover during inventory that our SPF is already in permerror?"

The inventory phase commonly surfaces this finding when organizations have accumulated 4 or more ESPs over time. The remediation is the SPF DKIM Setup engagement itself; the subdomain segmentation strategy resolves the permerror by routing each ESP off the apex into its own subdomain with an independent budget. The engagement does not require any prerequisite work; if the customer is in permerror at discovery time, the engagement is exactly the right answer. The DMARC enforcement question is separate: if the customer is in permerror at p=none, the impact is degraded but not catastrophic because p=none does not act on the authentication failure; if the customer is in permerror at p=quarantine or p=reject, the impact is immediate delivery failure and the engagement must be expedited. EMP runs the expedited variant of the engagement (1 week for Single ESP, 1 week for Multi ESP) at 25 percent premium for organizations in active permerror at enforcement.

SPF DKIM Setup FAQ

What engineering and operations teams ask before signing.

What is the 10 DNS lookup limit and why does it break SPF?

RFC 7208 section 4.6.4 caps SPF evaluation at 10 DNS lookups per validation:

Counted: include, a, mx, ptr, exists, redirect
Not counted: ip4, ip6, all
Cumulative: budget applies across full include chain
Void limit: 2 lookups returning NXDOMAIN
Result: permerror fails ALL email at the domain

include:_spf.google.com alone costs 4 lookups (1 + 3 netblocks). 3-4 ESPs commonly reach 9-12 lookups.

Why subdomain segmentation over SPF flattening?

Flattening tradeoffs:

Flattening: replaces includes with direct IPs, breaks when ESP IPs change
Subdomains: each subdomain has own 10-lookup budget, structural fix
dmarcian recommendation: subdomain segmentation as default approach
Annual maintenance: subdomains require review only when ESP changes

EMP deploys flattening only when subdomain segmentation is structurally unavailable.

What DKIM key length and algorithm does EMP deploy?

2048-bit RSA with rsa-sha256:

RFC 8301: mandates 2048-bit minimum for senders
Gmail/Yahoo: prefer 2048-bit explicitly
Cisco IronPort: known issues above 2048-bit
4096-bit: available on request for compliance
TXT splitting: handled by modern DNS providers

How does DKIM selector rotation work?

M3AAWG procedure:

Cadence: 6 months baseline, quarterly for sensitive mail
Generate new key pair with versioned selector name
Publish public key in DNS, wait 24-48 hours propagation
Switch signing service to new private key
Observe DMARC reports 7-14 days for clean alignment
Deprecate old selector after propagation

Critical rule: never reuse selector names after deletion.

Do we need separate DKIM keys per sending service?

Yes, per-service selectors recommended:

Isolation: key compromise contained to one service
Independent rotation: per-service schedules
Diagnostics: DMARC reports show failures by selector
Naming pattern: service + date + key length

Example: google-2026q3, sg-2026q3, k1 (Mailchimp), freshdesk-2026q3.

What if we discover unauthorized senders during inventory?

Common findings during inventory:

Former employee SendGrid/Mailchimp accounts still active
SaaS tools added by teams without IT coordination
Vendors sending without From domain authorization
Test services that were never decommissioned

Remediation: legitimate sources authorized via SPF/DKIM, illegitimate terminated, spoofing sources rejected by subsequent DMARC enforcement.

Will this break our existing email during the migration?

Migration sequence is non-disruptive:

DKIM: additive only (new selectors published before signing service uses them)
SPF: new subdomain published first, sender migrated, then apex removed
Overlap window: 24-72 hours per migration step with both paths valid
Change windows: scheduled outside peak campaigns

No customer in EMP 2024-2026 history has experienced delivery outage during migration.

How long does the setup take?

Standard timelines:

Single ESP: 5-7 business days
Multi ESP (3-5 sources): 10-14 business days
Enterprise multi-domain: 21-30 calendar days
Expedited (+25%): Single ESP 3 days, Multi ESP 7 days

DNS access on day 1 compresses timelines 2-3 days.

Start SPF DKIM setup. Sender inventory delivered in 3 business days.

The scheduling call gathers the four data points required to size the engagement: current DMARC policy status (p=none, p=quarantine, or p=reject), number of ESPs and SaaS tools sending as the domain, current DKIM key length (1024-bit or 2048-bit) and last rotation date, multi-domain scope. With those four points EMP issues a fixed-fee quote within 48 hours. Bilateral NDA signed before any DNS or ESP access is granted. The sender inventory document is delivered within 3 business days regardless of tier; the SPF and DKIM publication phases follow based on tier selection.

Start setup Free 48h audit instead

Bilateral NDA in 48h · Mon-Fri 9-18 GMT-5 · Atrium Tower Floor 15