Do I need to set up DMARC for subdomains?

Key findings

• Default inheritance: DMARC policies set on a parent domain usually apply to all its subdomains by default.
• Explicit override: Publishing a dedicated DMARC record for a subdomain will override the inherited policy from the parent domain.
• The sp tag: The subdomain policy tag (sp) within the parent DMARC record specifies how DMARC handles subdomains that do not have their own explicit policy. For further details on DMARC policies, read our guide on DMARC policies for organizational domains and subdomains.
• Policy precedence: A DMARC record directly on a subdomain takes precedence over the sp tag of the parent domain, ensuring specific control when needed.

Key considerations

• Consistency vs. control: Decide whether a uniform DMARC policy across all subdomains is sufficient or if granular control is required for specific sending subdomains.
• Vendor requirements: Some email service providers may explicitly recommend or require DMARC records for specific sending subdomains they manage. For more information, read do subdomains need their own DMARC records.
• Simplified deployment: For many, relying on the parent domain's inherited policy (perhaps with an sp tag) is sufficient and simplifies management.
• Preventing abuse: Ensure that even inactive subdomains are covered by a DMARC policy to prevent their use in spoofing or phishing attempts.
• Understanding inheritance: VerifyDMARC.com explains DMARC and subdomain inheritance, detailing how DMARC records affect subdomains.

Key opinions

• Default assumption: Many marketers initially assume that setting DMARC on the primary domain is sufficient for all subdomains.
• Vendor guidance: Email service providers, such as HubSpot, frequently advise or require specific DMARC records for sending subdomains, regardless of parent domain inheritance.
• Granular control: While inheritance is standard, some marketers choose explicit subdomain records for enhanced control over their email streams and reputation, as discussed on Quora regarding DMARC subdomain application.
• Simplicity over complexity: There's a preference for straightforward setup (e.g., v=DMARC1; p=none; rua=whatever) when more complex configurations are not strictly necessary.

Key considerations

• DNS record creation: Marketers need clear guidance on creating and adding DMARC TXT records to their DNS provider settings. You can find out more on how to set up DMARC records for subdomains.
• Policy alignment: Consider if a subdomain's email policy (for example, p=quarantine) needs to differ from the parent domain's, especially for marketing or transactional emails.
• Third-party sending: When using third-party services to send emails from subdomains, ensuring proper DMARC alignment can be more complex and may necessitate specific subdomain records.
• Troubleshooting: Understanding DMARC reports for subdomains is vital for identifying authentication failures and maintaining strong sender reputation.
• Choosing the right tools: Using a DMARC record generator can simplify the creation of DMARC records, whether for the main domain or subdomains.

Key opinions

• Precedence: An explicit DMARC policy (p=) set directly on a subdomain always overrides the parent domain's subdomain policy (sp=) tag.
• Strategic use cases: Explicit subdomain DMARC records are valuable when dealing with tools that don't properly walk the DNS tree, or when you lack full DNS control over the main domain.
• Policy enforcement: The sp tag provides a default policy for subdomains without their own specific record, as DuoCircle clarifies in their explanation of the DMARC 'sp' tag.
• Balancing control: It's often a balance between the simplicity of inherited policies and the need for granular control for specific sending profiles or legacy systems.

Key considerations

• Conflict resolution: Understand how the subdomain's own p tag interacts with the parent's sp tag to avoid unexpected policy enforcement. Find more in our list of DMARC tags and their meanings.
• Policy choice: Deliberate policy choices (none, quarantine, or reject) for subdomains can significantly impact deliverability and security, as detailed in our guide on DMARC record placement best practices.
• Ease of deployment: Sometimes, deploying DMARC via a simple template that includes subdomain records can be less work than customizing for inheritance.
• Reporting: Regardless of whether inheritance is used, ensure DMARC reporting (rua, ruf) is correctly configured to monitor subdomain email traffic.

Key findings

• RFC 7489: The DMARC specification, RFC 7489, outlines the rules for domain and subdomain policy application, including inheritance and the role of the sp tag.
• Subdomain Policy (sp) tag: This tag, set in the organizational domain's DMARC record, defines the policy for subdomains that do not publish their own specific DMARC records.
• Explicit override: If a subdomain has its own DMARC record, that record's policy (p=) takes precedence over the parent domain's sp tag, as described by NsLookup.io regarding DMARC record usage for subdomains.
• No implicit exclusion: Subdomains are always covered by DMARC either through inheritance or an explicit record.

Key considerations

• DNS record structure: Ensure DMARC records are correctly published as TXT records in DNS for both organizational domains and any specific subdomains. For examples, see DMARC record and policy examples.
• Policy enforcement: The chosen policy (p=none, p=quarantine, p=reject) for subdomains should align with the organization's security posture and risk tolerance. Learn more in a simple guide to DMARC, SPF, and DKIM.
• Preventing misconfiguration: Careful planning is needed to avoid conflicting policies between parent and subdomain records that could impact legitimate email delivery.
• RFC compliance: Adhering to the DMARC RFC (Request for Comments) ensures interoperability and consistent interpretation by email receivers globally.