Summary
DMARC policy application to subdomains defaults to inheriting the parent domain's policy, unless a specific subdomain policy (sp=) is defined. DMARC records are TXT records queried via DNS; CNAME records can interfere if improperly configured but can be helpful for applying the same policy across multiple domains. Wildcard CNAMEs are generally discouraged. Tools like MXToolbox interpret DMARC records considering organizational domain policies. The configuration involves defining version, policy, subdomain policy, and reporting. Setting explicit DMARC records for each subdomain and validating the records are highly recommended.
Key findings
- Default Inheritance: Subdomains inherit the DMARC policy of the parent domain unless specifically overridden.
- TXT Record Preference: DMARC relies on TXT records; CNAME usage requires careful consideration.
- CNAME Interference Risk: Improper CNAME configurations can disrupt DMARC validation.
- Wildcard CNAMEs Bad: Wildcard CNAMEs are generally discouraged due to potential issues.
- MXToolbox Interpretation: MXToolbox considers organizational domain policies with CNAMEs.
- Explicit Subdomain Records: Setting specific DMARC records for each subdomain is recommended.
Key considerations
- Subdomain Policy Choice: Decide whether to inherit policies or define specific ones for each subdomain.
- CNAME Configuration Accuracy: Carefully configure CNAME records and ensure they are properly resolving.
- TXT as Best Practice: Default to using TXT records for DMARC whenever possible.
- Wildcard Avoidance: Avoid wildcard CNAMEs in DMARC configurations.
- Validation Importance: Thoroughly validate all DMARC records using available tools.
- Domain and DNS Access: Must have access to DNS records to publish DMARC Policy.
What email marketers say
10 marketer opinions
DMARC policy application to subdomains defaults to inheriting the parent domain's policy unless a specific subdomain policy (sp=) is defined. CNAME records can be used, but with caution, as improper configurations can lead to unexpected behavior or DMARC validation failures. Using TXT records directly is generally recommended. MXToolbox interprets DMARC records with CNAMEs based on organizational domain policies when 'sp=' is absent. While CNAMEs can help manage policies across multiple domains, wildcard CNAMEs are discouraged.
Key opinions
- Default Inheritance: Subdomains inherit the DMARC policy of the parent domain unless a specific subdomain policy is defined.
- CNAME Caution: Using CNAME records for DMARC can be problematic and may lead to validation issues.
- TXT Recommendation: Creating DMARC records using TXT records directly is generally the safest approach.
- MXToolbox Interpretation: MXToolbox considers organizational domain policies when CNAME redirects to subdomains lacking an 'sp=' tag.
- CNAME for Multi-Domains: CNAME can be useful when one has multiple domains and wants to apply the same policy to all of them.
Key considerations
- Subdomain Policies: Explicitly define subdomain policies (using 'sp=' tag) to avoid unintended policy inheritance.
- CNAME Configuration: Carefully configure CNAME records for DMARC to prevent disruptions in DMARC validation.
- TXT Simplicity: Consider using TXT records for DMARC to simplify configuration and reduce potential issues.
- Wildcard Avoidance: Avoid using wildcard CNAMEs with DMARC, as they can lead to unpredictable behavior.
- Validation Testing: Thoroughly test DMARC configurations, especially those involving CNAME records, to ensure proper validation.
Marketer view
Email marketer from Email Geeks explains that MXToolbox interprets a DMARC record redirecting via CNAME to a subdomain of an organizational domain without an 'sp=' tag as treating the DMARC policy as p=none, based on the organizational domain's policy.
11 Jun 2023 - Email Geeks
Marketer view
Email marketer from Easydmarc explains that implementing a CNAME in DMARC is useful when one has multiple domains and wants to apply the same policy to all of them. A single DMARC record can be created and CNAME records created for the rest of the domains to this single DMARC record. You should ensure that the CNAME is set for the dmarc record.
15 Dec 2023 - Easydmarc
What the experts say
4 expert opinions
DMARC policy and CNAME interaction is complex. Wildcard CNAMEs are generally discouraged, while using wildcard records for DMARC reporting may work. DMARC directly queries DNS for TXT records, not CNAMEs. Subdomains can have independent DMARC policies, but if absent, the parent domain's policy applies. Explicit DMARC records for each subdomain are recommended.
Key opinions
- Wildcard CNAMEs Discouraged: Wildcard CNAMEs are generally not a good practice.
- DMARC and TXT Records: DMARC looks up TXT records directly, not CNAMEs.
- Wildcard Reporting: Wildcard usage for _report records in DMARC may work effectively.
- Subdomain Independence: Subdomains can have individual DMARC policies.
- Policy Inheritance: If a subdomain lacks a DMARC policy, the parent domain's policy is inherited.
Key considerations
- Avoid Wildcard CNAMEs: Steer clear of using wildcard CNAMEs due to potential complications.
- Direct TXT Records: Ensure DMARC relies on properly configured TXT records in DNS.
- Reporting Configuration: Configure appropriate wildcard or explicit records for DMARC reporting.
- Subdomain Specificity: Determine if subdomains require their own DMARC policies, or if inheritance is sufficient.
- Explicit Subdomain Records: Consider creating explicit DMARC records for each subdomain to ensure clarity.
Expert view
Expert from Email Geeks states DMARC doesn't directly interact with CNAMEs; it only looks up TXT records in DNS. The DNS returns the record as a text record.
19 May 2024 - Email Geeks
Expert view
Expert from Email Geeks suggests that wildcard CNAMEs are generally not a good practice and it's better to fix them instead of trying to diagnose issues caused by them.
19 May 2024 - Email Geeks
What the documentation says
5 technical articles
DMARC policies apply to all subdomains by default unless a specific subdomain policy (sp=) is defined. DMARC records are TXT records in DNS and include version, policy, and optional subdomain policies. The DNS is queried for '_dmarc.[domain]' TXT records. CNAME records can interfere if not configured correctly. Implementing DMARC requires access to DNS records to publish the policy.
Key findings
- Default Subdomain Policy: DMARC applies to all subdomains unless overridden.
- TXT Record Structure: DMARC records are TXT records with specific tags (v=, p=, sp=).
- DNS Query: DNS is queried for '_dmarc.[domain]' TXT records.
- CNAME Interference: CNAME records can disrupt DMARC if improperly configured.
- DNS Access Required: Implementing DMARC needs access to the DNS zone file
Key considerations
- Subdomain Specificity: Decide whether to use the default policy or create specific subdomain policies.
- Correct Syntax: Use the correct DMARC record syntax, including version and policy tags.
- CNAME Alternatives: Carefully consider the implications of using CNAME records and explore alternatives.
- DNS Access: Ensure appropriate access to DNS records.
- Record Validation: Validate DMARC record syntax and propagation using online tools.
Technical article
Documentation from dmarc.org explains that a DMARC policy applies to all subdomains unless a specific subdomain policy (sp=) is defined. If a subdomain policy is absent, the domain's DMARC policy is inherited.
14 Apr 2023 - dmarc.org
Technical article
Documentation from RFC7489 details the DMARC record lookup process, stating that the DNS is queried for a TXT record named '_dmarc.[domain]'. CNAME records can interfere with this process if not handled correctly.
3 Nov 2023 - RFC Editor
Can DKIM be set up on a subdomain, and which domain should be used for signing?
Can I use DMARC with shared IP addresses?
Do I need to set up DMARC for subdomains?
How do CNAME records affect DNS records like SPF, DKIM, DMARC, and MX?
How do DMARC policies and RUA/RUF settings inherit or override each other between a domain and its subdomains?
How do DMARC records on subdomains override root domain DMARC policies?
