Summary
DMARC policies and RUA/RUF settings operate on a hierarchical inheritance and override system between a domain and its subdomains. If a subdomain has a DMARC record, it dictates the policy and RUA/RUF reporting for that subdomain. If a subdomain lacks a DMARC record, it inherits the parent domain's policy and reporting settings. This system allows for both centralized control and subdomain-specific configurations for email authentication.
Key findings
- Policy Override: A DMARC record on a subdomain overrides the parent domain's DMARC policy.
- Policy Inheritance: Subdomains without DMARC records inherit the parent domain's DMARC policy.
- RUA/RUF Specificity: RUA/RUF settings in a subdomain's DMARC record apply only to that subdomain.
- RFC7489 Compliance: RFC7489 defines the mechanisms for policy discovery and inheritance.
Key considerations
- Policy Customization: Determine which subdomains require customized DMARC policies due to unique email sending practices.
- Reporting Needs: Evaluate whether separate RUA/RUF reports are needed for subdomains to monitor authentication issues effectively.
- DNS Management: Ensure accurate and consistent DNS records for both the domain and all subdomains to maintain correct policy enforcement.
What email marketers say
4 marketer opinions
DMARC policies and RUA/RUF settings have a hierarchical behavior between a domain and its subdomains. If a subdomain possesses its own DMARC record, that record takes precedence, dictating the policy and where RUA/RUF reports are sent specifically for that subdomain. Conversely, if a subdomain lacks a DMARC record, it inherits the DMARC policy and RUA/RUF settings of its parent domain. This inheritance ensures that subdomains are also protected by DMARC even if they don't have explicitly defined policies.
Key opinions
- Override: A DMARC record on a subdomain overrides the parent domain's DMARC policy for that subdomain.
- Inheritance: Subdomains without their own DMARC record inherit the DMARC policy of the parent domain.
- RUA/RUF Behavior: RUA/RUF settings follow the same inheritance and override pattern as the overall DMARC policy.
- Report Scope: If a subdomain has its own DMARC record with RUA specified, reports will be specific to that subdomain only.
Key considerations
- Policy Specificity: Carefully consider whether subdomains require different DMARC policies than the main domain.
- Report Segregation: Evaluate whether separate RUA/RUF reports are needed for subdomains to better monitor their email authentication performance.
- Record Management: Ensure that DMARC records are correctly configured and maintained for both the domain and its subdomains to avoid unintended policy inheritance or conflicts.
Marketer view
Email marketer from EmailSecurity Blog details how a DMARC record on a subdomain takes precedence over the domain's policy. If the subdomain lacks its own record, the domain's DMARC policy is applied. The same inheritance and override apply for RUA and RUF settings.
14 Dec 2024 - EmailSecurity Blog
Marketer view
Email marketer from MXToolbox explains that if a subdomain has a specific DMARC record set, it will use that. Otherwise, it inherits from the main domain. The rua and ruf addresses would also follow this setup; a specified rua on a subdomain DMARC would only provide reports for that subdomain.
11 Dec 2021 - MXToolbox
What the experts say
4 expert opinions
DMARC policies offer flexibility in managing email authentication for domains and their subdomains. A distinct DMARC policy can be established for a subdomain, which will override the policy set at the organizational domain level. However, if a subdomain lacks its own DMARC record, it will inherit the DMARC policy of the parent domain. The RUA/RUF settings, which dictate where aggregate and forensic reports are sent, follow a similar pattern: a subdomain's DMARC record dictates the reporting for that subdomain, while inheritance occurs in the absence of a subdomain-specific record.
Key opinions
- Policy Override: Subdomain DMARC policies override organizational domain policies.
- Policy Inheritance: Subdomains without a DMARC record inherit the organizational domain's DMARC policy.
- RUA/RUF Reporting: RUA/RUF reports are governed by the DMARC record in effect for a given domain or subdomain.
- Subdomain Specificity: Subdomain records define the reporting parameters solely for that subdomain.
Key considerations
- Tailored Policies: Determine if specific subdomains require unique DMARC policies due to differing email sending practices or security requirements.
- Report Segmentation: Consider whether separate RUA/RUF reports are beneficial for individual subdomains to facilitate targeted monitoring and analysis.
- DNS Configuration: Ensure accurate DNS configuration of DMARC records for both the organizational domain and any subdomains to guarantee correct policy enforcement and reporting.
Expert view
Expert from Word to the Wise answers that if a subdomain has a DMARC record that record will be used. If a subdomain does not have its own DMARC record it will inherit the DMARC record from the domain. The RUA and RUF reports will be sent according to the record being used for the subdomain. A record on the subdomain will mean the reports will only be for that subdomain.
23 Sep 2023 - Word to the Wise
Expert view
Expert from Email Geeks explains that a DMARC policy appearing on a subdomain will override the organizational domain policy.
13 Nov 2021 - Email Geeks
What the documentation says
4 technical articles
DMARC policy management across domains and subdomains involves both inheritance and overriding mechanisms. Standard documentation confirms that subdomains inherit the DMARC policy of the organizational domain when a specific DMARC record is absent. Conversely, a DMARC record explicitly configured for a subdomain will override the organizational domain's policy, allowing for tailored security measures. RFC7489 formalizes these interactions by outlining the policy discovery and inheritance process.
Key findings
- Policy Override: Subdomain DMARC records take precedence over organizational domain policies.
- Policy Inheritance: Subdomains without explicit DMARC records inherit the organizational domain policy.
- Security Coverage: DMARC inheritance ensures basic protection for all subdomains, even without individual configurations.
- Standard Definition: RFC7489 formally defines DMARC policy discovery and inheritance.
Key considerations
- Granular Control: Consider if subdomains require unique DMARC policies to address specific security risks or email practices.
- DNS Management: Maintain accurate DNS records for both organizational domains and subdomains to ensure proper DMARC policy application.
- Policy Auditing: Regularly audit DMARC configurations to verify correct policy inheritance and prevent unintended security gaps.
Technical article
Documentation from Google Workspace Admin Help explains that a DMARC policy for a subdomain can override the policy of the parent domain. If a subdomain does not have its own DMARC record, it inherits the DMARC policy of the parent domain.
26 Mar 2022 - Google Workspace Admin Help
Technical article
Documentation from RFC7489 describes the interaction between organizational domains and subdomains within the context of DMARC. Specifically, it outlines how policy discovery and inheritance work. If a subdomain has a DMARC record it will be used otherwise the policy of the top level organizational domain will be inherited.
22 Aug 2023 - RFC7489
How do DMARC records on subdomains override root domain DMARC policies?
Do I need to set up DMARC for subdomains?
Do DMARC and BIMI require p=reject to be present on the organizational domain?
How do I set up DMARC records for subdomains?
Do subdomains need their own DMARC records if the main domain has one?
Does BIMI trickle down to subdomains and how to control subdomain BIMI display?
Are DMARC RUA and RUF tags mandatory for compliance and what are their benefits?
Do I need DMARC for transactional emails from a small website, and what are the best low-cost alternatives for sending emails if my IP is blocked?
How do I implement DMARC with BIMI on multiple subdomains?
