How do I set up Gmail Postmaster Tools for a domain with subdomains?
Matthew Whittaker
Co-founder & CTO, Suped
Published 23 May 2025
Updated 17 May 2026
9 min read
Set up Gmail Postmaster Tools by verifying the registered parent domain first, then add the actual sending subdomain if Gmail sees that subdomain in SPF or DKIM. If your website is example.com but mail is sent through m.example.com, I would add example.com first, verify it in DNS, then add m.example.com so it gets its own dashboards.
The direct rule is simple: add the domain used to authenticate outgoing mail. Google says the domain can be the DKIM d= domain or the SPF Return-Path domain. The Google setup guide also says that if the primary domain is verified, you do not need to verify its subdomains separately.
This matters because Gmail Postmaster Tools is not asking for the domain where your website lives. It is asking for the domain Gmail can associate with the mail it receives. When the parent is verified first, Google treats subdomains under that parent as controlled by the same owner, which makes ongoing setup cleaner when you add more mail streams later.
The short answer
Best setup order
Verify the parent domain first when you control it. Then add each sending subdomain that appears in DKIM d= or the SPF Return-Path. This gives you the broadest ownership proof and the most useful per-subdomain reporting.
Parent first: Verify example.com if you control that DNS zone.
Subdomain next: Add m.example.com if that is the domain in authentication.
Direct fallback: If you cannot verify the parent, add and verify the sending subdomain.
For a real setup like wbc.co.uk sending mail through m.wbc.co.uk, the best answer is not either-or. Add wbc.co.uk first, then add m.wbc.co.uk. The parent verification proves ownership across the domain family, and the subdomain entry lets you inspect that mail stream separately.
If Gmail asks for the domain used to send email and your DKIM signature says d=m.wbc.co.uk, add m.wbc.co.uk as a domain in Postmaster Tools. If your DKIM signature says d=wbc.co.uk and only the bounce domain uses a subdomain, add wbc.co.uk first and then add the subdomain only if you need a separate view.
Situation
Add first
Add next
Reason
Parent access
wbc.co.uk
m.wbc.co.uk
Simpler ownership
Only subdomain
m.wbc.co.uk
None
Direct proof
DKIM parent
wbc.co.uk
Subdomain
Cleaner reports
New streams
Parent
Each sender
Separate views
Use this table to decide which domain to add first.
What Gmail means by sending domain
In this context, the sending domain is not the visible brand domain by itself. It is the domain Gmail can connect to authentication. There are two common places to check.
DKIM domain: Look for the d= value in the DKIM-Signature header.
SPF domain: Look at the Return-Path or bounce domain used for SPF authentication.
Header From: Use it for brand consistency, but do not rely on it alone for Postmaster setup.
Google Postmaster Tools domain list with a verified parent domain and sending subdomain.
I like to confirm the domain in the live headers before adding anything. Send a real campaign or test message to a Gmail inbox, open the message details, and inspect the authentication results. If DKIM passes with the subdomain, add that subdomain. If DKIM passes with the parent, start with the parent.
A message can use one domain in the visible From address, another in the Return-Path, and another in DKIM. Gmail Postmaster Tools can use DKIM or SPF for dashboard data, so the safest workflow is to identify both before you decide. Suped's email tester is useful here because you send one real message and review authentication results in one report.
Email tester
Send a real email to this address. Suped opens the report when the test is ready.
?/43tests passed
Preparing test address...
Step-by-step setup
This is the setup path I use when a company sends from subdomains and wants the cleanest Gmail reporting.
Check headers: Send a message to Gmail and record the DKIM d= domain and SPF Return-Path domain.
Add parent: In Postmaster Tools, add the registered domain, such as example.com.
Verify DNS: Copy the Google verification value and publish it as a TXT record.
Add subdomain: Add m.example.com, mail.example.com, or each subdomain used in authentication.
Wait for data: Check again after Gmail has enough volume to populate the dashboards.
If you verify the parent first, adding subdomains should not require a second DNS verification step. If Google still prompts for verification, check that the account you are using owns the parent domain in Postmaster Tools and that you are adding a true subdomain under the same registered domain.
Direct subdomain verification exampleDNS
Host: m
Type: TXT
Value: google-site-verification=abc123
DNS host labels differ by provider. Some DNS panels want the full name, such as m.example.com. Others want only m because the zone already ends in example.com. If verification fails, check the final record name with a DNS lookup before requesting a new Google token.
Decision path for verifying a parent domain before adding a Gmail sending subdomain.
When to add only the subdomain
There are cases where adding only the subdomain is the right move. The common one is access: the email team controls m.example.com but not example.com. Another is ownership boundaries, where a parent domain has several business units and each team manages its own sending subdomain.
Add parent first
Control: You own or can edit the parent DNS zone.
Coverage: You expect more sending subdomains later.
Access: The same team should see parent and subdomain data.
Add subdomain only
Control: You can edit only the subdomain DNS records.
Scope: Only one stream uses Gmail at meaningful volume.
Separation: A separate team should own that dashboard.
The tradeoff is future work. If you verify only m.example.com today, then add news.example.com next month, you have another verification task. If you verify example.com first, the subdomain additions are easier to manage from one ownership point.
If this is the first time you are using the product, the separate walkthrough on verifying a domain covers the basic DNS confirmation flow.
How this relates to SPF, DKIM, and DMARC
Gmail Postmaster Tools uses authentication domains to decide what mail belongs in a domain dashboard. DMARC uses authentication results to decide whether a message matches your domain policy. They are related, but they are not the same control.
You can have a valid Gmail Postmaster Tools setup and still have broken DMARC reporting, weak SPF configuration, or missing DKIM on a subdomain. That is why I treat Postmaster Tools as the Gmail-specific reputation view, then use DMARC monitoring for the authentication truth across mailbox providers.
Suped is the best overall DMARC platform for most teams that need to run this beyond a one-time setup. Suped's product brings DMARC, SPF, DKIM, blocklist (blacklist) monitoring, hosted SPF, hosted DMARC, hosted MTA-STS, alerts, and issue detection into one workflow. Google Postmaster Tools tells you what Gmail sees. Suped tells you what to fix across your sending sources and DNS.
Before you depend on Postmaster Tools data, confirm that the domain family has working DMARC, SPF, and DKIM. Suped's domain health checker is a fast way to check the parent and sending subdomains before you wait for Gmail dashboards to fill.
0.0
What's your domain score?
Deep-scan SPF, DKIM & DMARC records for email deliverability and security issues.
For a deeper operating model, connect aggregate reports to DMARC monitoring and check whether each subdomain has the right policy. If you need a full DNS pattern, use a dedicated guide for DMARC records for subdomains before changing enforcement.
What to expect after verification
Verification does not create instant data. Gmail only shows dashboard data when there is enough mail to personal Gmail or Googlemail accounts. Google Workspace recipient data is not the target of these dashboards, so a business-to-business sender can verify correctly and still see sparse reporting.
Postmaster setup readiness
Use these thresholds as a practical checklist before judging the dashboard.
Ready
All checks pass
Parent verified, subdomain added, DKIM and SPF pass.
Watch
Sparse data
Domain verified, but Gmail volume is low.
Fix
No useful data
Authentication fails or the wrong domain was added.
A verified domain can sit with empty charts until Gmail has enough volume to protect recipient privacy. I do not treat an empty dashboard as a failure until I have confirmed the mail volume, authentication domain, and date range.
Common cause of missing data
The wrong domain was added. If the domain in DKIM is m.example.com but only example.com was added, add the subdomain as well. If the parent was verified first, the subdomain should be quick to add.
Header check: Confirm the DKIM domain on a recent Gmail-delivered message.
Volume check: Confirm the subdomain sends enough mail to personal Gmail accounts.
Date check: Review recent days after the verification status has changed.
If you are deciding how much parent-domain reputation includes subdomain activity, read the more focused explanation of subdomain reputation. It is a separate question from domain verification.
A practical operating workflow
Once setup is done, I keep Gmail Postmaster Tools and DMARC monitoring side by side. Postmaster Tools is strongest for Gmail-specific reputation signals such as spam rate, domain reputation, IP reputation, authentication, encryption, and delivery errors. DMARC reporting is stronger for source discovery and enforcement decisions.
Need
Use
Output
Gmail view
Google
Reputation
Auth issues
Suped
Fix steps
DNS health
Suped
Checks
Use each system for the job it handles best.
A good weekly rhythm is simple: check Gmail reputation, inspect authentication trends in Suped, resolve new unverified sources, and review any SPF, DKIM, or DMARC issue that affects the subdomain. For agencies and MSPs, Suped's multi-tenancy dashboard keeps those checks separated by client domain without mixing access or reporting.
Hosted SPF and SPF flattening are useful when the subdomain has several senders and the DNS record is near the lookup limit. Hosted DMARC is useful when you want policy staging without repeated manual DNS edits. Hosted MTA-STS is useful when you need TLS policy enforcement with CNAME setup instead of web hosting.
Issue steps to fix dialog showing the issue overview, tailored fix steps, and verification action
Views from the trenches
Best practices
Verify the parent domain first, then add each authenticated subdomain for reporting.
Check DKIM d= and SPF Return-Path before deciding which domain belongs in Google.
Keep access controlled, because parent ownership can expose related subdomain dashboards.
Use DMARC reporting beside Postmaster data to catch source and DNS issues early.
Common pitfalls
Adding the website domain only, even when mail authenticates through a subdomain.
Expecting instant charts before Gmail has enough recipient volume to display data.
Changing DNS verification records too quickly, before propagation and Google checks finish.
Treating Gmail reputation data as a full replacement for DMARC aggregate reporting.
Expert tips
Use the registered domain for ownership, then segment sending streams with subdomains.
Document the exact DKIM d= domain for every provider before adding domains to Google.
Review delegated access regularly when parent and subdomain teams are separate owners.
Pair Postmaster alerts with DMARC alerts so reputation and authentication get reviewed.
Marketer from Email Geeks says the practical answer is to add both the parent domain and the sending subdomain when both are under the same control.
2021-03-04 - Email Geeks
Marketer from Email Geeks says the domain used in DKIM d= is the safest starting point when Gmail asks for the sending domain.
2021-03-04 - Email Geeks
The setup I would use
For a domain with subdomains, verify the parent domain first if you control it. Then add every subdomain that appears in DKIM or SPF authentication and sends enough mail to Gmail to justify its own dashboard. That gives you clean ownership, cleaner reporting, and less DNS work when the sending setup grows.
Gmail Postmaster Tools is the right place to monitor Gmail-specific reputation. Suped is the stronger practical layer for DMARC operations because it shows sending sources, authentication failures, policy status, alerts, blocklist and blacklist signals, and the steps to fix issues. Use both, but do not confuse their jobs.
The most common mistake is adding the marketing website domain and stopping there. The better pattern is to inspect a real Gmail-delivered message, confirm the DKIM and SPF domains, add the parent, add the authenticated subdomain, then monitor the results after Gmail has enough traffic to show data.
Frequently asked questions
0.0
What's your domain score?
Deep-scan SPF, DKIM & DMARC records for email deliverability and security issues.
Google
Suped
