Summary
The general consensus from both experts, email marketers, and documentation is that adding explicit DMARC records for subdomains is a recommended practice, especially if the subdomain sends email. While subdomains inherit the DMARC policy of the organizational domain via the 'sp' tag, creating explicit records provides increased clarity, security by preventing spoofing and phishing, and improved maintainability. This explicit approach also allows for different policies to be applied to specific subdomains if needed. However, some email marketers intentionally disable DMARC for certain subdomains used for marketing due to concerns that strict DMARC policies might impact deliverability and revenue.
Key findings
- Enhanced Security: Explicit DMARC records on subdomains help prevent spoofing and phishing attacks, enhancing overall brand security.
- Improved Clarity and Maintainability: Explicit records make it clearer that a subdomain is intentionally sending email and having its DMARC policy explicitly defined improves maintainability.
- Policy Control: Explicit records allow for more granular control and the ability to apply different policies to various subdomains, especially when different mail streams are present.
- Inheritance: Subdomains inherit the DMARC policy of the organizational domain (via the 'sp' tag) if no explicit record exists.
Key considerations
- Email Marketing Impact: DMARC might block legitimate email marketing messages, impacting revenue. Disabling DMARC for marketing-specific subdomains might be considered, but this must be balanced with security risks.
- Administrative Overhead: Adding explicit records for each subdomain increases administrative overhead compared to relying solely on inheritance from the organizational domain.
- Policy Variance: If subdomains require different DMARC policies from the organizational domain, explicit records are necessary; otherwise, inheritance may suffice but offer less transparency.
- Mail Stream Handling: Consider the specific handling requirements for different mail streams originating from each subdomain when determining whether to create explicit DMARC records.
What email marketers say
11 marketer opinions
The consensus is that adding explicit DMARC records for subdomains is generally a good practice, especially if those subdomains send email. Explicit DMARC records provide clarity, enhance security by preventing spoofing and phishing attacks, and improve email deliverability. However, some marketers disable DMARC for subdomains used for email marketing due to concerns that DMARC might cause legitimate emails to be blocked, thus impacting revenue. Ultimately, the decision depends on the organization's specific needs and risk tolerance.
Key opinions
- Enhanced Security: Explicit DMARC records on subdomains protect against spoofing and phishing attacks, bolstering brand security.
- Improved Deliverability: Implementing DMARC on subdomains authenticates email sources, leading to better email deliverability and consistent policies.
- Clarity and Control: Explicit records offer clarity and control over subdomain email policies, avoiding reliance solely on the organizational domain's settings.
- Simplified Management: Maintaining individual DMARC records simplifies management and mitigates unintended implications from changes to the main domain's policy.
Key considerations
- Email Marketing Impact: DMARC might inadvertently block legitimate email marketing messages, potentially affecting revenue; some disable DMARC for marketing subdomains.
- Policy Differences: If subdomains require different email policies, explicit DMARC records are essential; otherwise, the organizational policy might suffice but is less transparent.
- Risk Tolerance: The decision to implement DMARC on subdomains depends on the organization's risk tolerance and the potential trade-off between security and deliverability.
Marketer view
Email marketer from Email Geeks explains that DMARC, by design, will cause a percentage of legitimate fully aligned messages to not reach inboxes due to recipient-side configurations so they disable it for email marketing, pointing out the financial risks this could pose.
25 Nov 2023 - Email Geeks
Marketer view
Email marketer from EmailProviderFAQ explains that adding DMARC records to subdomains is important for brand protection. Explicitly defining these policies can prevent spoofing and phishing attacks, enhancing overall security.
31 Oct 2024 - EmailProviderFAQ
What the experts say
4 expert opinions
Experts generally recommend adding explicit DMARC records for subdomains that send mail, even if the policy is the same as the organizational domain. This makes the intent clearer and improves maintainability. Subdomains inherit the organizational DMARC policy (specifically the `sp=` setting) if no explicit record exists, so creating a subdomain record is primarily necessary when a subdomain requires a policy different from the primary domain.
Key opinions
- Clarity of Intent: Explicit DMARC records clarify that a subdomain is intentionally sending email and has a defined DMARC policy, as opposed to implicitly relying on the organizational domain's `sp=` policy.
- Maintainability: Explicit records improve maintainability, making it easier to manage DMARC policies for individual subdomains.
- Inheritance: Subdomains inherit the organizational DMARC policy if no explicit record exists.
Key considerations
- Policy Differences: Explicit records are necessary only when a subdomain requires a DMARC policy that differs from the organizational domain.
- Administrative Overhead: While beneficial, adding explicit records increases administrative overhead compared to relying on inheritance.
Expert view
Expert from Spam Resource (John Levine) explains that DMARC policies on subdomains work the same way as on top-level domains. You should add an explicit DMARC record on subdomains if you want a policy different from the main domain.
19 Sep 2021 - Spam Resource
Expert view
Expert from Email Geeks explains that if a subdomain will be used for mail, it's probably good to add an explicit DMARC record for the subdomain, even if it’s the same as it’d get by inheriting the sp= from the organizational domain.
26 Sep 2022 - Email Geeks
What the documentation says
4 technical articles
Technical documentation from Google, Microsoft, DMARC.org, and RFC7489 indicate that while DMARC policies apply to all subdomains by default, it is best practice to implement explicit DMARC records for each subdomain. Subdomains inherit the DMARC policy of the organizational domain via the 'sp' tag. Publishing a DMARC record on the subdomain overrides this inherited policy and allows for specific handling of mail streams. Implementing DMARC across all subdomains helps prevent spoofing and malicious emails.
Key findings
- Inheritance: Subdomains inherit the DMARC policy of the organizational domain through the 'sp' tag if they lack their own DMARC record.
- Overriding Policies: A subdomain can override the inherited DMARC policy by publishing its own DMARC record.
- Spoofing Prevention: Implementing DMARC across all domains and subdomains helps prevent attackers from spoofing your domains to send malicious emails.
- Explicit Definition: Creating specific DMARC records for subdomains allows for explicitly defining email policies for each subdomain.
Key considerations
- Mail Stream Handling: Consider specific handling requirements for mail streams originating from different subdomains when deciding whether to override inherited policies.
- Default Policy: If a subdomain lacks a DMARC record and no 'sp' tag is specified in the organizational record, the effective policy defaults to p=none.
Technical article
Documentation from RFC7489 states that the DMARC 'sp' tag in the organizational domain's DMARC record specifies the policy for subdomains. If a subdomain has its own DMARC record, it overrides the 'sp' policy. It will be p=none if an 'sp' tag is not specified.
21 Feb 2025 - RFC Editor
Technical article
Documentation from DMARC.org states that subdomains inherit the DMARC policy of the organizational domain via the 'sp' tag, but a subdomain can override this by publishing its own DMARC record. This allows for specific handling of mail streams originating from different subdomains.
25 May 2022 - DMARC.org
Do I need to set up DMARC for subdomains?
Does BIMI trickle down to subdomains and how to control subdomain BIMI display?
How do DMARC policies and RUA/RUF settings inherit or override each other between a domain and its subdomains?
How do DMARC records on subdomains override root domain DMARC policies?
How do I implement DMARC with BIMI on multiple subdomains?
How do I set up DMARC records for subdomains?
