Summary
Google Postmaster may require a separate TXT record for subdomains even when the main domain is verified due to several factors. These include individual subdomain registration processes, specific Google services or configurations (like Google Workspace), the need for granular control and distinct security policies, each subdomain being treated as a distinct sending source, the importance of separate SPF, DKIM, and DMARC settings, granular reporting and insights into each subdomain's reputation, multi-tenant environment security, adherence to updated security policies, and the necessity for the original domain verifier to add subdomains. Ultimately, these requirements aim to enhance security, ensure proper configuration, and improve deliverability for each subdomain.
Key findings
- Registration Method: Individually registered subdomains require separate TXT records.
- Google Services: Google Workspace and other services often necessitate subdomain verification.
- Granular Control: Separate records enable granular control and distinct security policies.
- Sending Source: Subdomains can be treated as distinct sending sources, requiring unique configurations.
- Email Authentication: Separate SPF, DKIM, and DMARC settings are crucial for each subdomain.
- Reputation Tracking: Granular reporting and insights are gained through subdomain verification.
- Security: Multi-tenant environments necessitate separate records for enhanced security.
- Updated Policies: Adherence to updated security policies may require re-verification.
- Verifier Permissions: The original domain verifier may be required to add subdomains.
Key considerations
- Registration Review: Determine if subdomains were registered individually or under the main domain.
- Service Requirements: Identify if Google Workspace or other services necessitate specific subdomain verification.
- Security Planning: Establish distinct security policies for each subdomain as needed.
- Email Configuration: Implement separate SPF, DKIM, and DMARC settings tailored to each subdomain's purpose.
- Permission Management: Ensure appropriate permissions for users adding and managing subdomains.
- Policy Monitoring: Stay informed about and compliant with Google's evolving security policies.
- Reputation Monitoring: Monitor each subdomain's reputation to proactively address deliverability concerns.
- Authentication Review: Regularly review the authentication settings to ensure each subdomain's traffic is verified.
What email marketers say
6 marketer opinions
Google Postmaster may require separate TXT records for subdomains even when the main domain is verified for several reasons. These include confirming control and proper configuration of the subdomain, treating each subdomain as a distinct sending source (especially for different types of email like marketing vs. transactional), providing granular reporting and insights for each subdomain's reputation and performance, ensuring proper authentication and authorization in multi-tenant environments, aligning with updated security policies, and facilitating distinct SPF, DKIM, and DMARC configurations to boost deliverability and protect each subdomain's sending practices.
Key opinions
- Control & Configuration: Separate TXT records confirm the subdomain is under your control and properly configured.
- Distinct Sending Source: Subdomains may be treated as distinct sending sources, especially for varied email types.
- Granular Reporting: Separate verification enables more granular reporting and insights for each subdomain's reputation.
- Multi-Tenant Security: In multi-tenant environments, separate records ensure proper authentication and authorization.
- Updated Policies: Re-verification aligns with updated security policies.
- Authentication: Allows implementation of distinct SPF, DKIM, and DMARC configurations for each subdomain.
Key considerations
- Subdomain Usage: Consider how each subdomain is used and if it requires unique configurations.
- Security Policies: Stay updated with Google's security policies for domain and subdomain verification.
- Reputation Management: Understand the reputation of each subdomain and its impact on overall deliverability.
- Email Authentication: Implement SPF, DKIM, and DMARC correctly for each subdomain to ensure proper authentication.
- Tenant Environment: In multi-tenant environments, ensure each tenant's subdomain is properly verified and secured.
Marketer view
Email marketer from Super User community shares that in a multi-tenant environment, a separate TXT record might be needed on a subdomain for verification to ensure that each tenant (or subdomain) is properly authenticated and authorized to use Google services. This prevents unauthorized access and maintains the integrity of the email ecosystem.
20 Nov 2023 - Super User
Marketer view
Email marketer from Quora suggests that Google might prompt for a subdomain TXT record because the initial domain verification was performed some time ago, and Google's security policies have since been updated. Re-verifying with a new TXT record for the subdomain brings the account in line with current standards.
27 Dec 2023 - Quora
What the experts say
3 expert opinions
Google Postmaster may require a separate TXT record for subdomains even if the main domain is already verified for several reasons, including individual subdomain registration, original domain verifier permissions, and enabling granular reputation tracking and management for each subdomain.
Key opinions
- Registration Type: If subdomains were registered individually, each requires its own record, unlike inherited verification.
- Verifier Permissions: Google may restrict subdomain addition to the original domain verifier.
- Reputation Tracking: Separate records enable granular reputation tracking for each subdomain.
Key considerations
- Registration Method: Check if subdomains were registered individually or as part of the main domain.
- Original Verifier: Ensure the user adding the subdomain has the necessary permissions.
- Subdomain Reputation: Monitor the reputation of each subdomain to address deliverability issues.
Expert view
Expert from Email Geeks explains that if the main domain is verified, any subdomain can be added without additional verification records. However, if each subdomain was registered separately, each one requires its own record.
1 Jan 2025 - Email Geeks
Expert view
Expert from Email Geeks suggests that the Google Postmaster might require the original domain verifier to add subdomains, implying permissions are tied to the user who initially verified the main domain.
14 Dec 2022 - Email Geeks
What the documentation says
3 technical articles
While Google typically allows subdomains to inherit verification from the main domain, Google Workspace and other specific configurations may require separate TXT records for subdomains to ensure granular control, apply distinct security policies, and enable specific features. This is particularly relevant when subdomains are treated as separate entities.
Key findings
- Granular Control: Separate TXT records enable granular control over subdomains.
- Security Policies: Distinct security policies may necessitate individual subdomain verification.
- Specific Features: Certain Google Workspace features require subdomain-level verification.
- Separate Entities: Subdomains treated as separate entities often need their own TXT records.
Key considerations
- Google Workspace: Determine if you're using Google Workspace, as it may have specific requirements.
- Subdomain Policies: Evaluate if distinct security policies are needed for the subdomain.
- Feature Requirements: Identify if the subdomain needs specific Google Workspace features that require verification.
- Security: Understand security implications of shared versus separate authorization.
Technical article
Documentation from Google Workspace Admin Help explains that while Google generally allows inheriting verification for subdomains once the main domain is verified, specific Google services or configurations might still require individual subdomain verification via TXT records to ensure granular control and security policies are applied correctly. This is especially true when subdomains are treated as separate entities with distinct settings.
7 Dec 2024 - Google Workspace Admin Help
Technical article
Documentation from Google Domains Help clarifies that while domain verification generally covers subdomains, there can be exceptions for Google Workspace. These exceptions require separate TXT records on the subdomain to enable specific features or enforce unique policies at the subdomain level, ensuring better segmentation and security.
28 Sep 2024 - Google Domains Help
Can I monitor email reputation for B2B G-Suite domains using Google Postmaster Tools?
Do I need to add all subdomains to Google Postmaster Tools?
Does Google Postmaster Tools domain reputation include subdomains?
Does subdomain data roll up to the root domain in Google Postmaster Tools?
How do I add a TXT record to a DNS configuration for Google Postmaster?
How do I set up Gmail Postmaster Tools for a domain with subdomains?
