Summary
Setting up DMARC for subdomains involves creating TXT records in the DNS settings for each subdomain named `_dmarc.subdomain.example.com`. While subdomains inherit the main domain's DMARC policy by default if no specific policy is defined, you can specify a different policy for each subdomain for tailored email authentication and reporting. It is highly recommended to implement DMARC at the organizational level first. The initial DMARC policy should be set to 'p=none' to monitor traffic with the `rua` tag for receiving reports, and then gradually increase the policy to 'p=quarantine' or 'p=reject' after careful observation and adjustments based on email traffic. Use tools like MXToolbox to verify record configuration. New subdomains should be warmed up with small sending volumes. Ensure a well-formed DMARC record with correct syntax and placement within the DNS zone to avoid misconfigurations, including creation of an A record pointing to the mail server and configuring SPF. Consider using dedicated IP addresses for new subdomains.
Key findings
- TXT Records: Create separate TXT records for each subdomain in DNS settings, named `_dmarc.subdomain.example.com`.
- Policy Inheritance: Subdomains inherit the main domain's DMARC policy by default.
- Organizational DMARC: Implement DMARC at the organizational level first.
- Monitoring First: Start with a 'p=none' policy for monitoring traffic and reports.
- Verification Tools: Use tools like MXToolbox to verify record configuration.
- Warming Up: Warm up new subdomains with small sending volumes.
- Well-Formed Records: A well-formed record is essential to prevent misconfigurations.
Key considerations
- Reporting: Include reporting options (`rua` tag) in DMARC records for traffic analysis.
- Policy Adjustment: Adjust DMARC policies based on monitoring reports.
- SPF Configuration: Ensure SPF is configured correctly before implementing DMARC.
- Dedicated IPs: Consider using dedicated IP addresses for new subdomains.
- A Record: Create A record pointing to the mail server.
- Phased Deployment: Implement in phases: 'p=none', then 'p=quarantine', then 'p=reject'.
- Proper DNS Syntax: Pay close attention to DNS syntax and placement.
What email marketers say
8 marketer opinions
Setting up DMARC for subdomains involves creating TXT records in the DNS settings for each subdomain, specifying the desired DMARC policy (e.g., p=none, p=quarantine, p=reject) and reporting options. It's generally recommended to first implement DMARC at the organizational level. Initial setup should start with a 'p=none' policy to monitor traffic and reports, then adjust to stricter policies based on the traffic. Tools like MXToolbox can be used to verify record configuration. Warming up new subdomains with small sending volumes is crucial. Ensure an A record points to the correct mail server, and configure SPF before DMARC. Dedicated IP addresses should also be considered for new subdomains.
Key opinions
- TXT Records: Create separate TXT records for each subdomain in DNS settings.
- Policy Setting: Start with a 'p=none' policy for monitoring.
- Organizational DMARC: Implement DMARC at the organizational level first.
- Verification Tools: Use tools like MXToolbox to verify record configuration.
- Subdomain Warmup: Warm up new subdomains with small sending volumes.
Key considerations
- Reporting: Include reporting options in DMARC records for traffic analysis.
- Policy Adjustment: Adjust DMARC policies based on monitoring reports.
- SPF Configuration: Ensure SPF is configured correctly before implementing DMARC.
- Dedicated IPs: Consider using dedicated IP addresses for new subdomains.
- A Record: The A record must point to the correct mail server.
Marketer view
Email marketer from Gmass shares that if you're setting up new subdomains, you should strongly consider using dedicated IP addresses and properly warming them up as per the guidance of your email service provider.
12 Sep 2023 - Gmass
Marketer view
Email marketer from StackOverflow explains that you must create an A record that points to the correct mail server when setting up a new subdomain. SPF must then be configured and tested, followed by DMARC. The DMARC policy should be set to 'none' for initial testing, then quarantine/reject later.
14 Nov 2022 - StackOverflow
What the experts say
2 expert opinions
Setting up DMARC records for subdomains requires careful attention to syntax and placement within the DNS zone to avoid misconfigurations that can harm deliverability. A phased approach to deployment is recommended, starting with monitoring ('p=none'), then testing ('p=quarantine'), and finally enforcing ('p=reject') to carefully observe and adjust email flows.
Key opinions
- Well-Formed Record: DMARC record must have correct syntax and DNS placement.
- Phased Deployment: Implement DMARC in phases for careful observation.
Key considerations
- Misconfiguration Impact: Misconfigurations can negatively impact email deliverability.
- Policy Progression: Start with 'p=none', then 'p=quarantine', and finally 'p=reject'.
- Email Flow Observation: Observe email flows and adjust DMARC settings as needed.
Expert view
Expert from Spam Resource (Steve Linford) emphasizes the importance of a well-formed DMARC record for subdomains, including the correct syntax and placement within the DNS zone. He warns that misconfigurations are common and can negatively impact deliverability.
4 Nov 2023 - Spam Resource
Expert view
Expert from Word to the Wise (Laura Atkins) recommends a phased approach to DMARC deployment for subdomains, starting with a 'p=none' policy for monitoring, followed by 'p=quarantine' for testing, and finally 'p=reject' for full enforcement. This strategy allows for careful observation of email flows and adjustments as needed.
23 Jul 2021 - Word to the Wise
What the documentation says
4 technical articles
Setting up DMARC for subdomains involves creating a TXT record in the DNS settings for each subdomain. Subdomains inherit the main domain's DMARC policy by default if a specific policy isn't defined. You can specify a different policy for each subdomain for tailored email authentication, reporting, and stricter rules. DMARC policy queries first check for an exact subdomain match; otherwise, they query for the organizational domain's policy. Testing the DMARC record is vital to ensure correct implementation and policy enforcement.
Key findings
- TXT Record Creation: Create a TXT record in the DNS settings for each subdomain.
- Policy Inheritance: Subdomains inherit the main domain's DMARC policy by default.
- Custom Policies: Specify different DMARC policies for each subdomain.
- Policy Query Order: DMARC policy queries check for exact subdomain matches first.
Key considerations
- Tailored Authentication: Subdomain-specific policies allow tailored email authentication.
- Reporting: Custom policies enable specific reporting for each subdomain.
- Testing: Test DMARC record implementation to ensure correct policy enforcement.
- Stricter Rules: Implement stricter DMARC rules for specific subdomains as needed.
Technical article
Documentation from RFC7489 (the DMARC standard) specifies how subdomains inherit DMARC policies from the organizational domain. It explains that a policy query for a subdomain should first check for an exact match. If no match, it should query for the organizational domain's policy. This allows both subdomain-specific and inherited policies.
2 Feb 2025 - RFC Editor
Technical article
Documentation from DMARC.org details that subdomains, by default, inherit the DMARC policy of the organizational domain if a specific subdomain policy isn't defined. To implement a specific policy, create a TXT record under '_dmarc.subdomain.yourdomain.com' with the desired DMARC settings. This allows for tailored email authentication and reporting per subdomain.
9 Apr 2023 - DMARC.org
Do I need to set up DMARC for subdomains?
Do subdomains need their own DMARC records if the main domain has one?
Does BIMI trickle down to subdomains and how to control subdomain BIMI display?
How do DMARC policies and RUA/RUF settings inherit or override each other between a domain and its subdomains?
How do DMARC records on subdomains override root domain DMARC policies?
How do I implement BIMI for multiple brands with subdomains?
How do I implement DMARC with BIMI on multiple subdomains?
