How do DMARC policies and RUA/RUF settings inherit or override each other between a domain and its subdomains?

Key findings

• Default inheritance: By default, if a subdomain does not have its own DMARC record, it will inherit the DMARC policy (p=none, p=quarantine, or p=reject) from its parent or organizational domain.
• Explicit override: Publishing a DMARC record directly on a subdomain will override any inherited policy from the parent domain for that specific subdomain. This allows for tailored policies.
• Subdomain policy tag (sp): The DMARC 'sp' tag (subdomain policy) in a parent domain's DMARC record can explicitly define the policy for all subdomains that do not have their own DMARC record. This is a powerful way to manage subdomain policies centrally. DuoCircle notes that this tag specifies how DMARC handles illegitimate emails from subdomains.
• RUA/RUF inheritance: Similar to policies, RUA (aggregate report) and RUF (forensic report) addresses also inherit. If a subdomain has its own DMARC record, any RUA/RUF specified in that record will be used, overriding the parent's RUA/RUF for reports concerning that subdomain. If the subdomain record omits RUA/RUF, no reports will be sent for that subdomain unless the parent's 'sp' tag is configured for reporting.

Key considerations

• Strategic deployment: Plan your DMARC deployment, especially for subdomains, considering different sending purposes. For example, marketing emails from a subdomain might need a different policy than internal communications.
• Comprehensive monitoring: Ensure you receive DMARC aggregate reports (RUA) for all domains and subdomains. This may require setting up multiple RUA addresses if you manage subdomains with individual DMARC records. For more details on DMARC records, consult our guide.
• Consistency vs. flexibility: Decide whether to rely on default inheritance (perhaps using the 'sp' tag for blanket subdomain policies) or to explicitly define DMARC records for specific subdomains that require unique policies or reporting.
• Avoiding conflicts: Mismanagement of DMARC records across parent and subdomains can lead to unintended email blocking or missed reports. Always verify your DNS settings carefully after making changes.

Key opinions

• Subdomain policy management: There's a shared realization that subdomains can and often should have their own DMARC records to achieve specific policy goals, overriding the parent domain's settings.
• ESPs and RUA requests: It's becoming more common for ESPs to request or provide default RUA addresses for their customers' domains, primarily to meet mailbox provider requirements and monitor for spoofing, rather than always providing detailed reports back to the customer directly.
• Scope of RUA reports: Marketers are concerned that RUA reports shared with third parties will contain data on all emails from the domain, not just those sent via the specific ESP, raising privacy and data sharing questions.
• Overriding RUA/RUF: If a subdomain has its own DMARC record, including RUA/RUF addresses, these will supersede any RUA/RUF addresses defined on the parent domain, meaning the parent domain's RUA won't receive reports for that subdomain. Understanding DMARC report requirements is key.

Key considerations

• Verify ESP requirements: When an ESP requests an RUA address, clarify whether it is a strict requirement or an option for their own monitoring. This impacts your DMARC setup strategy. For general DMARC setup, eSecurity Planet provides a guide.
• Custom subdomain policies: Recognize that creating a specific DMARC record for a subdomain gives you full control over its policy and reporting, overriding any inherited settings from the parent domain.
• Reporting transparency: If sharing RUA access with a third party, understand what data they will receive and how they will use it. Consider setting up your own DMARC reporting solution to maintain full control and visibility over all your domain and subdomain policies.
• Testing and validation: Always test DMARC record changes, especially those impacting subdomains or RUA/RUF settings, to ensure the desired outcome and avoid unintended impacts on email deliverability.

Key opinions

• Policy precedence: An explicit DMARC record on a subdomain will always override the policy of the organizational domain. This provides fine-grained control for specific subdomains.
• Default inheritance: If a subdomain does not have its own DMARC record, it will indeed inherit the policy from its parent domain. This is the default behavior as outlined by VerifyDMARC documentation.
• RUA/RUF independence: If a subdomain has its own DMARC record with specified RUA/RUF addresses, these report destinations will be used for that subdomain's reports, effectively stopping those reports from being sent to the parent domain's RUA/RUF.
• Independent records: Each DMARC record, whether on the main domain or a subdomain, acts independently. This means specific configurations on subdomains (policy, reporting, percentage) do not impact other parts of the domain hierarchy.

Key considerations

• Tailored policies: Leverage explicit subdomain DMARC records to implement different policies for various sending purposes, such as a more relaxed 'p=none' for new subdomains under testing, or a stricter 'p=reject' for established, secure transactional subdomains. This is part of general DMARC best practices.
• Comprehensive reporting: To ensure full visibility, if you set individual DMARC records for subdomains, make sure each includes its own RUA address. Otherwise, you might lose valuable aggregate reports for those subdomains.
• Avoiding confusion: Clearly document your DMARC setup across all domains and subdomains to prevent confusion about which policy or reporting destination applies, especially within larger organizations. This impacts DMARC policy application.
• Consistent monitoring: While subdomains can have unique policies, it's often beneficial to monitor their DMARC reports alongside the main domain's to gain a holistic view of your email ecosystem and detect any unauthorized sending from your brand.

Key findings

• RFC 7489 guidance: The DMARC standard (RFC 7489) defines the 'sp' (subdomain policy) tag, which allows the organizational domain's DMARC record to specify a policy for all subdomains that do not have their own explicit DMARC record.
• Implicit inheritance: Absent an explicit DMARC record or 'sp' tag on a subdomain, the subdomain implicitly inherits the DMARC policy from its parent domain. This ensures continuous coverage across your domain space. The IETF Datatracker mentions key concepts of DMARC policies being published and retrieved.
• Explicit override: If a DMARC record is published directly on a subdomain, that record's policy and reporting settings will take precedence and override any inherited or 'sp' tag policies from the parent domain.
• RUA/RUF tag specificity: The 'rua' and 'ruf' tags in a DMARC record explicitly define the email addresses where aggregate and forensic reports should be sent. If a subdomain's DMARC record contains these tags, reports for that subdomain will go to the specified addresses, ignoring the parent's reporting addresses.

Key considerations

• Adherence to standards: Ensure that your DMARC records, for both parent and subdomains, conform to the official DMARC RFC standards to guarantee proper interpretation by mail receivers. A list of DMARC tags can help.
• Interaction of tags: Understand the precise interaction between the 'p' (policy) and 'sp' (subdomain policy) tags in your main DMARC record to ensure subdomains behave as intended, whether explicitly or by inheritance.
• DNS publication: Accurate DNS record publication is paramount. Incorrectly published DMARC records for parent domains or subdomains can lead to policy misapplication or report delivery failures. Refer to DMARC record examples for guidance.
• Reporting mechanisms: Implement robust DMARC reporting mechanisms to collect and analyze RUA/RUF data from all relevant domains and subdomains. This comprehensive visibility is essential for identifying and mitigating unauthorized email sending and ensuring proper authentication.