How do DMARC records on subdomains override root domain DMARC policies?

Key findings

• Direct override: A DMARC record published directly on a subdomain takes precedence over the sp (subdomain policy) tag from the root or organizational domain. This means that if a subdomain has its own DMARC record, the parent's sp policy is ignored for that subdomain.
• Inheritance interruption: The existence of a DMARC record on a subdomain effectively stops the inheritance of the root domain's sp policy for any sub-sub-domains of that specific subdomain. For example, if test.com has sp=reject, but x.test.com has its own DMARC record (even without an sp tag), then test.com's sp=reject will not apply to a.x.test.com.
• Fallback for sub-sub-domains: If a sub-sub-domain, such as a.x.test.com, does not have its own DMARC record, the system will look to its immediate parent (x.test.com) for guidance. If x.test.com's record does not specify a subdomain policy via an sp tag, then no DMARC policy from x.test.com will explicitly apply to a.x.test.com.

Key considerations

• Policy management complexity: As your domain structure becomes more complex with multiple subdomains and sub-sub-domains, managing DMARC policies can become challenging. Each specific DMARC record published breaks the chain of inheritance from higher-level domains.
• DMARC record placement: You must carefully consider where to place your DMARC records to ensure the correct policies are applied. Placing a DMARC record on a subdomain essentially makes it authoritative for that subdomain and its children (if an sp tag is used). Learn more about best practices for DMARC record placement for subdomains.
• Understanding sp tag: The sp tag within a DMARC record is specific to subdomains of the domain where the record is published. If present, it dictates the policy for those subdomains, unless they have their own DMARC records. For a deeper dive, review this guide on understanding DMARC and subdomains.
• Avoiding unintended policies: Incorrect DMARC record setup, especially concerning sp tags and subdomain records, can lead to unintended 'reject' or 'quarantine' policies being applied to legitimate email traffic, resulting in significant deliverability issues. This is why it's vital to understand DMARC policy inheritance.

Key opinions

• Subdomain precedence: Marketers frequently observe that a DMARC record on a subdomain will always override any sp policy set by the root domain. This means that if x.test.com has a record, test.com's sp policy is not considered for x.test.com.
• Sub-sub-domain behavior: There's common confusion about whether a root domain's sp policy extends to sub-sub-domains if the intermediate subdomain has its own DMARC record without an sp tag. The consensus indicates that the intermediate subdomain's record breaks this deeper inheritance.
• Seeking external validation: Marketers often rely on DMARC checking tools or AI-driven insights to confirm their understanding of these complex DMARC inheritance rules, as the specifics can be counter-intuitive.

Key considerations

• Careful DMARC setup: When setting up DMARC for multiple subdomains, it's crucial to understand that each subdomain can have an independent policy, which will override the root's sp tag. This requires careful planning to avoid accidental email blocking (getting on a blocklist or blacklist, for example). Explore DMARC best practices.
• Impact on deliverability: Incorrectly configured subdomain DMARC records can lead to legitimate emails being rejected or quarantined, significantly impacting email deliverability. This is especially true for marketing or transactional emails sent from specific subdomains.
• Understanding the p tag: The primary p tag on a subdomain's DMARC record applies to that specific subdomain. If no sp tag is present in that record, then its sub-sub-domains might not inherit any explicit DMARC policy from that subdomain. This DMARC record guide for subdomains offers more insight.

Key opinions

• Direct lookup: Experts confirm that DMARC checks primarily look for a record on the 'From:' domain itself. If one exists, that record's policy applies. If not, the system then checks the organizational domain's DMARC record. Intermediate records are not considered in a continuous tree walk under the current specification.
• Inheritance termination: The presence of a DMARC record on a subdomain (`x.test.com`) stops the inheritance of the sp policy from the root domain (`test.com`) for sub-sub-domains (`a.x.test.com`). This is true even if the subdomain's record itself does not include an sp tag.
• Current vs. future DMARC: While the current DMARC specification uses the Public Suffix List (PSL) to determine the organizational domain, future revisions (DMARCbis) are expected to adopt a more explicit tree-walk approach for resolving policies. Both methods are likely to coexist for some time.

Key considerations

• Understanding the organizational domain: It's essential to correctly identify the organizational domain, as its DMARC policy applies as a fallback. Tools and the Public Suffix List aid in this determination. For more, see our guide on DMARC policies for organizational and subdomains.
• Policy application: The DMARC policy is applied based on the most specific record found for the 'From:' domain. If no record is found for the exact 'From:' domain, the policy from the organizational domain's DMARC record is used. Nothing in between.
• Mitigating risks: To prevent unintended 'reject' or 'quarantine' actions, particularly for sub-sub-domains, ensure that DMARC records are explicitly set where needed, or that the policies of intermediate subdomains are clearly defined (or are intentionally absent) to avoid unexpected inheritance breaks. Understand how to safely transition your DMARC policy.
• Stay updated on specifications: With the evolution of DMARC specifications, such as DMARCbis, it's important for experts and domain owners to stay informed about changes in how policies are resolved and applied across complex domain structures. Regularly consult official DMARC documentation or reputable sources like NsLookup.io's DMARC guide.

Key findings

• Explicit subdomain record precedence: DMARC documentation specifies that if a domain has its own DMARC record, that record's policy (`p` tag) and subdomain policy (`sp` tag) will apply, overriding any inherited `sp` policy from a higher-level domain.
• Subdomain policy (`sp`) scope: The sp tag in a DMARC record (`_dmarc.example.com`) dictates the policy for its subdomains (`sub.example.com`) only when those subdomains do not have their own DMARC record (`_dmarc.sub.example.com`).
• Inheritance termination: The presence of a DMARC record on a subdomain acts as a terminating point for policy inheritance from the parent domain's sp tag. This means even if the subdomain's record has no sp tag, it stops the root's sp from affecting its own children.

Key considerations

• Policy lookup mechanism: The DMARC specification mandates that receiving mail servers first check for a DMARC record on the exact domain in the RFC5322.From header. If absent, they then check the organizational domain, not necessarily intermediate domains, for policy guidance.
• Public Suffix List (PSL) importance: The PSL plays a critical role in determining the organizational domain, which is essential for understanding DMARC fallback policies. This list helps prevent unintended policy application for public suffixes.
• Future DMARC developments: The DMARCbis working group is exploring alternative DMARC policy discovery mechanisms, including a pure DNS tree-walk, which might simplify some of the current inheritance complexities. However, current implementations still adhere to the existing specification. The Klaviyo Help Center has information on email authentication.