The need to set up DMARC for subdomains hinges on various factors, primarily whether the subdomain sends email. By default, subdomains inherit the parent domain's DMARC policy, but this can lead to issues if you need differing policies for subdomains. If a subdomain sends email, it *must* have its own DMARC record for authentication and protection against spoofing. If it doesn't send email, a `p=reject` policy is recommended. Subdomain policies (`p=`) take precedence over the top-level domain's subdomain policy (`sp=`), and `sp=` applies to subdomains lacking explicit policy records. Using subdomains to isolate sending reputation necessitates individual DMARC setups. Also, the reasons for having a subdomain can be the exception where granular DMARC control is needed such as for tool-specific verification, DNS template constraints or shared DNS control. Finally DMARC needs working SPF and DKIM implementations.
8 marketer opinions
Whether you need to set up DMARC for subdomains depends on several factors. By default, subdomains inherit the parent domain's DMARC policy unless a specific policy is defined for the subdomain. If a subdomain sends email, it generally requires its own DMARC record to ensure proper authentication and protection against spoofing. If a subdomain does not send email, a DMARC record with a `p=reject` policy is recommended to prevent unauthorized use. Subdomain policies (`p=`) take precedence over the top-level domain's subdomain policy (`sp=`), and `sp=` is relevant for subdomains without published policy records. Subdomains are often used to isolate sending reputation (e.g., transactional vs. marketing emails), necessitating individual DMARC configurations. If you want to handle email for a subdomain differently than the parent domain, then it requires its own DMARC record.
Marketer view
Marketer from Email Geeks answers the question by stating `sp=` is for subdomains that don’t publish policy records.
21 Nov 2021 - Email Geeks
Marketer view
Marketer from Email Geeks clarifies that subdomains are covered by the top-level domain's DMARC settings. Setting up separate DMARC for subdomains is only necessary if the subdomain's policy differs from the top-level domain.
25 Jun 2022 - Email Geeks
3 expert opinions
Implementing DMARC at the subdomain level is situation-dependent. It is beneficial when tools require exact subdomain DMARC checks, when lacking control over the entire domain's DNS or policy, or when using DNS templates without customization. Although some sources don't directly address subdomain DMARC setup, they highlight the importance of DMARC, SPF, and DKIM for comprehensive brand protection and deliverability, implying subdomain DMARC setup is a best practice.
Expert view
Expert from Spam Resource shares that while the site doesn't explicitly answer the question 'Do I need to set up DMARC for subdomains?', it offers extensive information on DMARC implementation, implying that if subdomains send email, setting up DMARC for them is best practice. It emphasizes the importance of DMARC for brand protection and deliverability across the entire domain ecosystem which include subdomains.
16 Apr 2025 - Spam Resource
Expert view
Expert from Word to the Wise does not explicitly answer if you need to set up DMARC for subdomains on the given page, but it provides information on DMARC. It states that for DMARC to work correctly, it needs proper SPF and DKIM to be setup first. Suggesting that to fully protect your brand the implementation would be needed on all subdomains.
25 Nov 2022 - Word to the Wise
3 technical articles
According to email authentication documentation from Google, DMARC.org, and Microsoft, setting up DMARC for subdomains is crucial. Each subdomain should ideally have its own DMARC record. Subdomains that send email *must* have their own DMARC record to ensure proper handling and prevent issues arising from inheriting the parent domain's policy. For subdomains that *do not* send email, a DMARC record with a `p=reject` policy is highly recommended to prevent spoofing and unauthorized use.
Technical article
Documentation from DMARC.org shares that DMARC policies apply to subdomains. If a subdomain sends email, it should have its own DMARC record. If a subdomain doesn't send email, create a DMARC record with `p=reject` to prevent spoofing.
21 Sep 2024 - DMARC.org
Technical article
Documentation from Microsoft advises that if a subdomain sends email, it must have its own DMARC record. If it doesn't, it is still affected by the parent domain's DMARC record. Also to set up a 'reject' record for all subdomains that do not send email.
5 Feb 2024 - Microsoft
Do DMARC and BIMI require p=reject to be present on the organizational domain?
Do subdomains need their own DMARC records if the main domain has one?
How do DMARC policies and RUA/RUF settings inherit or override each other between a domain and its subdomains?
How do DMARC records on subdomains override root domain DMARC policies?
How do I implement BIMI for multiple brands with subdomains?
How do I implement DMARC with BIMI on multiple subdomains?
How do I set up DMARC records for subdomains?
Should I add an explicit DMARC record for subdomains?