Yes, absolutely. A DMARC policy that you set for your main domain will apply to all of its subdomains by default. This is a fundamental feature of how DMARC is designed to work, ensuring that your entire domain ecosystem is protected, not just the top-level domain.
This inheritance mechanism is crucial for comprehensive email security. Without it, you would need to create and manage separate DMARC records for every single subdomain you use, which for many organizations would be an administrative nightmare. This default behavior ensures a baseline level of protection across all subdomains, even those you might forget about.
How to override the default policy for subdomains
While the default inheritance is useful, you might not want the same DMARC policy for all your subdomains. For example, your corporate emails might be sent from example.com, while marketing emails go out from marketing.example.com. These might have different authentication setups.
This is where the sp (subdomain policy) tag comes in. By adding this tag to your main domain's DMARC record, you can specify a different policy that applies only to your subdomains.
For example, let's say your DMARC record for example.com looks like this:
v=DMARC1; p=reject; rua=mailto:dmarc@example.com
In this case, the p=reject policy applies to example.com and all its subdomains. If you want to set a more lenient policy, like quarantine, for your subdomains, you would modify the record to include the sp tag:
v=DMARC1; p=reject; sp=quarantine; rua=mailto:dmarc@example.com
Now, the reject policy applies only to the main domain, while the quarantine policy applies to all subdomains. It's important to remember that you can also set an explicit DMARC record on a subdomain itself, and this will always override any policy inherited from the parent domain.
Understanding DMARC policies
The policy you choose instructs receiving mail servers what to do with emails that fail DMARC authentication checks. As Mailgun points out, a DMARC policy tells Internet Service Providers (ISPs) how to handle fraudulent emails. There are three policy options you can set for both the p and sp tags:
- p=none: This is a monitoring-only policy. It tells receivers to take no specific action against failing emails but to send you DMARC reports. It's the perfect starting point for any DMARC implementation.
- p=quarantine: This policy asks receivers to treat failing emails with suspicion, which usually means sending them to the spam or junk folder.
- p=reject: This is the most secure policy. It instructs receivers to completely block and reject any email that fails DMARC checks. This is the ultimate goal for DMARC.
So, to recap: by default, your main DMARC policy covers your subdomains. However, you have the flexibility to set a specific policy for subdomains using the sp tag, or by creating a unique DMARC record on the subdomain itself. This layered approach allows for both broad protection and granular control over your email authentication.
Which DMARC tag specifies the policy for subdomains?
Can DMARC policies be applied without an SPF or DKIM record?
Does DMARC 'relaxed' alignment match a subdomain to the organizational domain?
Does DMARC policy apply to the header 'From' address?
Does DMARC affect inbound email handling?
Does DMARC apply to the envelope 'From' address?
