Summary
The optimal DMARC, DKIM, and SPF setup for marketing and transactional emails sent from different subdomains involves several key steps. Ensure SPF alignment by having the return path domain match the 'From' domain. Publish SPF records for the exact domain in the return path, considering custom vs. ESP domains and properly managing ESP 'include' statements. Create SPF records for each domain and subdomain. Subdomains inherit the DMARC policy of the main domain unless a specific DMARC record is published. Employ different DKIM selectors for each subdomain for easier identification and key rotation. Separate email types (marketing, transactional, cold emails) on different subdomains to isolate sender reputation. Initiate DMARC with a 'p=none' policy for monitoring, and gradually increase enforcement. Be mindful of SPF record lookup limits. Delegate subdomains to ESPs to mitigate SPF issues. Monitor DMARC reports, bounce rates, and IP reputation. Configure DNS records accurately and thoroughly test the setup.
Key findings
- SPF Alignment is Crucial: SPF alignment, where the 'Return-Path' and 'From' domains match, is vital for deliverability.
- SPF Records for Each Domain: SPF records should be created and carefully managed for each domain and subdomain used for sending emails.
- DMARC Policy Inheritance: Subdomains inherit DMARC policies from the main domain unless explicitly overridden with a specific DMARC record.
- Subdomain Reputation Isolation: Separating email types on different subdomains helps isolate reputation, preventing issues in one area from affecting others.
- Phased DMARC Implementation: Implementing DMARC should start with a monitoring phase ('p=none') before stricter policies are enforced.
- SPF Lookup Limit: Be aware of SPF record lookup limits to avoid authentication failures.
- DKIM Selectors: Using distinct DKIM selectors for each subdomain simplifies key rotation and identification.
- DMARC Monitoring: Continuous monitoring of DMARC reports is essential for identifying authentication issues and potential abuse.
Key considerations
- SPF Record Accuracy: Regularly review and update SPF records to ensure they accurately reflect all authorized sending sources and third-party senders.
- Subdomain Strategy: Carefully plan your subdomain structure to effectively isolate reputation and manage different email streams.
- DMARC Report Analysis: Analyze DMARC reports regularly to identify potential authentication problems and security threats.
- DNS Configuration: Ensure proper DNS configuration and testing for SPF, DKIM, and DMARC to guarantee correct authentication.
- Bounce Rate and IP Reputation: Monitor bounce rates and IP reputation to proactively address deliverability issues.
What email marketers say
11 marketer opinions
When sending marketing and transactional emails from different subdomains, it is important to configure SPF, DKIM, and DMARC properly to maintain email deliverability and protect your domain reputation. SPF alignment is achieved when the 'Return-Path' domain matches the 'From' domain. Subdomains inherit the DMARC policy of the main domain unless a specific DMARC record is published. Using separate subdomains for different email types helps isolate reputation. Start with a DMARC policy of 'p=none' and gradually increase it. Be aware of SPF record lookup limits. Use different DKIM selectors for each subdomain. Delegating subdomains to ESPs can avoid SPF issues. Monitor bounce rates and IP reputation. DMARC helps prevent phishing and spoofing and should be monitored. Separate subdomains for cold email campaigns to avoid impacting main domain reputation.
Key opinions
- SPF Alignment: Ensure SPF alignment by matching the 'Return-Path' and 'From' domains, often achieved through subdomain configuration.
- DMARC Inheritance: Subdomains inherit the main domain's DMARC policy unless explicitly overridden.
- Reputation Isolation: Separate subdomains for marketing and transactional emails isolate reputation, preventing deliverability issues in one from affecting the other.
- Phased DMARC Implementation: Start with a 'p=none' DMARC policy to monitor email streams before enforcing stricter policies.
- SPF Limit: Be mindful of SPF record lookup limits to avoid validation failures; consider flattening SPF records or using subdomains.
- DKIM Selectors: Use distinct DKIM selectors for each subdomain to facilitate identification and key rotation.
- Subdomain Delegation: Delegating subdomains to ESPs can help mitigate SPF-related challenges.
- Cold Email Separation: Separate cold email campaigns with subdomains to protect your brand.
Key considerations
- DMARC Monitoring: Actively monitor DMARC reports to identify authentication issues and potential spoofing attempts.
- Bounce Rate: Keep an eye on your bounce rates to ensure deliverability and reputation are up to standard.
- Reputation: Check your IP address reputation periodically and follow any best practices.
Marketer view
Email marketer from SendGrid explains that one of the keys to improving deliverability is to monitor bounce rates so that you can handle these bounces efficiently. They also recommend reviewing your IP address's reputation and ensuring you're following best practices.
29 Mar 2022 - SendGrid
Marketer view
Email marketer from Email Geeks explains that SPF is checked against the return path, and the only way to achieve alignment is to have the return path in the same organizational domain as the 'from' domain.
1 Jan 2025 - Email Geeks
What the experts say
4 expert opinions
When configuring DMARC, DKIM, and SPF for marketing and transactional emails sent from different subdomains, ensure that SPF records are published for the exact domain present in the return path. If using a custom domain for SPF, a specific record should be created for that domain, and the ESP include should be removed from the main domain. If using the ESP domain for SPF, the ESP include should also be removed from the main domain. Utilizing subdomains to separate email types isolates reputation, preventing marketing deliverability issues from affecting transactional emails. Regularly monitoring DMARC reports is crucial to identify authentication problems and unauthorized senders.
Key opinions
- SPF Records for Return Path: Publish SPF records for the precise domain used in the return path of your emails.
- Custom vs. ESP SPF Domains: When using a custom SPF domain, remove the ESP include from the main domain's SPF record. The same applies if using the ESP domain for SPF.
- Reputation Isolation via Subdomains: Employing subdomains for different email types (marketing, transactional) isolates sender reputation.
- DMARC Report Monitoring: Continuously monitor DMARC reports to detect authentication issues and unauthorized sending activity.
Key considerations
- Return Path SPF: Verify that the SPF record accurately reflects the domain used in your email's return path.
- ESP Include Management: Ensure that ESP 'include' statements in your main domain's SPF record are correctly managed, especially when using custom SPF domains.
- Subdomain Strategy: Plan your subdomain strategy carefully to maximize reputation isolation and minimize deliverability risks.
- DMARC Report Analysis: Regularly analyze DMARC reports to identify and address any authentication discrepancies or security threats.
Expert view
Expert from Word to the Wise emphasizes the importance of monitoring DMARC reports to identify potential issues with email authentication. They recommend analyzing the reports to understand where your emails are originating from and to identify any unauthorized senders.
7 Mar 2022 - Word to the Wise
Expert view
Expert from Spam Resource explains that using subdomains for different email types (marketing vs. transactional) allows you to isolate reputation. If your marketing emails have deliverability issues, it won't affect your transactional emails.
17 Sep 2021 - Spam Resource
What the documentation says
5 technical articles
For sending marketing and transactional emails from different subdomains, ensure that your SPF record includes all sending sources for each domain, and use `include:` statements for third-party senders. SPF records should be created for each domain and subdomain. Subdomains inherit the DMARC policy from the organizational domain unless a specific DMARC record is published, with the `sp` tag used for subdomain-specific policies. Each email sending source requires its own DKIM record, ideally using a 2048-bit key length. Proper DNS record configuration is essential for SPF, DKIM, and DMARC, requiring thorough testing.
Key findings
- Comprehensive SPF Records: SPF records must include all sending sources for each domain, leveraging `include:` statements for third-party senders.
- SPF Records per Domain/Subdomain: SPF records should be created for every domain and subdomain used for sending email.
- DMARC Policy Inheritance: Subdomains inherit DMARC policies from the organizational domain unless explicitly overridden using a dedicated DMARC record, configurable with the `sp` tag.
- Individual DKIM Records: Each email sending source requires its own unique DKIM record, with a recommended key length of 2048 bits.
- DNS Configuration: Proper DNS configuration is critical for the correct operation of SPF, DKIM, and DMARC, necessitating thorough testing.
Key considerations
- SPF Record Accuracy: Regularly review and update SPF records to ensure they accurately reflect all authorized sending sources.
- Subdomain DMARC Policies: Determine whether subdomains require specific DMARC policies or can inherit the organizational domain's policy.
- DKIM Key Management: Implement a secure process for generating, storing, and rotating DKIM keys.
- DNS Testing: Thoroughly test DNS configurations to validate the proper function of SPF, DKIM, and DMARC.
Technical article
Documentation from CloudFlare explains that in order to properly set up SPF, DKIM and DMARC for subdomains, you must also properly configure the DNS records to ensure you are authenticating the emails correctly. It recommends thoroughly testing to ensure that the setup is proper.
28 Oct 2024 - CloudFlare
Technical article
Documentation from Amazon AWS shares that in order to properly set up DKIM, each email sending source must have its own individual DKIM record set up to avoid any authentication errors. AWS recommends using a 2048 bit key length for all DKIM signatures.
26 Dec 2023 - Amazon AWS
Are SPF, DKIM, and DMARC records necessary for transactional email servers not used for marketing?
Can DKIM be set up on a subdomain, and which domain should be used for signing?
Do I need to set up DMARC for subdomains?
How do I properly set up SPF and DKIM records for email marketing, including handling multiple SPF records, IP ranges, bounce capturing, and Google Postmaster Tools verification?
How do I set up SPF and DKIM records for new subdomains when using third-party email services?
How should DMARC, SPF, and DKIM records be configured for domains that do not send email?
