How do I set up DMARC records for subdomains?

Key findings

• Inheritance: By default, a subdomain without its own DMARC record will inherit the policy of its organizational or parent domain. This simplifies setup for many subdomains, but may not be ideal for all sending scenarios.
• Explicit policies: You can define a distinct DMARC policy for subdomains using the sp= tag in the parent domain's DMARC record, or by publishing a separate DMARC TXT record directly on the subdomain.
• One record per domain: A specific domain or subdomain can only have one DMARC record. If you define a DMARC record for a subdomain, it will override any sp= policy set by the parent domain.
• DNS TXT record: DMARC records are always published as TXT records in your DNS settings, typically at the _dmarc hostname for the respective domain or subdomain.
• Authentication impact: Proper DMARC setup, alongside SPF and DKIM, is crucial for email authentication, preventing spoofing, and improving deliverability.

Key considerations

• Consult your ESP: Your Email Service Provider (ESP) can provide specific DNS entries and guidance tailored to how your subdomains are being used for email sending. This is often the first and most critical step.
• Include reporting: Ensure your DMARC record includes rua (aggregate) and ruf (forensic) reporting tags to gain visibility into your email traffic and authentication results, even with a p=none policy.
• Phased implementation: Start with a p=none policy to monitor traffic before transitioning to p=quarantine or p=reject. This allows you to catch any misconfigurations without impacting legitimate email delivery. For more, see our guide on safely transitioning your DMARC policy.
• Thorough testing: After making any DNS changes, extensively test your email sending to ensure proper authentication and deliverability from your subdomains. You can use DMARC analysis tools to verify your records. For general information on DMARC, refer to this DMARC setup guide.

Key opinions

• Clarifying DNS needs: Marketers frequently seek concrete steps on how to technically configure DMARC in their DNS zone editor, particularly when adding new subdomains for email sending.
• Understanding inheritance: There's often confusion about whether a new subdomain automatically inherits the main domain's DMARC policy or requires a separate setup.
• ESP guidance dependence: Many marketers rely heavily on their ESPs to provide the exact DNS records needed for subdomain authentication, including DMARC, SPF, and DKIM.
• Policy enforcement impact: Questions arise about the implications of a p=none policy on subdomain DMARC and its value without reporting.

Key considerations

• Beyond A records: Marketers should be aware that DMARC involves adding TXT records, not just A records for IP addresses, to their DNS.
• Comprehensive authentication: Ensure that all required email authentication records, including SPF and DKIM, are correctly configured for each sending subdomain alongside DMARC.
• Phased policy progression: While starting with p=none is safe, the ultimate goal should be to move to p=quarantine or p=reject to gain full protection against spoofing. More on DMARC setup best practices.
• Testing and monitoring: Always test sending from new subdomains and monitor DMARC reports to ensure proper authentication and identify any potential issues early on.

Key opinions

• Default inheritance: Experts confirm that DMARC policies are inherited by subdomains from the parent domain unless a distinct policy is specified for the subdomain.
• Conditional subdomain policies: A separate DMARC policy for a subdomain is only necessary if its desired policy differs from the organizational domain's policy.
• Importance of reporting: A DMARC record with p=none provides minimal value without reporting tags, which offer critical insights into email authentication.
• Policy enforcement: The goal for DMARC implementation is typically to progress towards an enforcement policy (quarantine or reject) for full protection.

Key considerations

• ESP collaboration: Work closely with your ESP, as they possess crucial knowledge about the necessary DNS records and how your domains are used in email authentication.
• Comprehensive testing: It's vital to test all configurations thoroughly to ensure that emails from your subdomains are properly authenticated and delivered. For further reading, check out this article on DMARC and subdomains.
• DNS record types: Understand that DMARC configuration involves TXT records, which are distinct from A records used for IP addresses.
• Holistic authentication: Remember that DMARC works in conjunction with SPF and DKIM to provide robust email authentication. All three should be properly configured for comprehensive protection.

Key findings

• Default policy application: The DMARC policy defined for an organizational domain will apply to its subdomains by default, unless a specific DMARC record is published for that subdomain.
• Subdomain Policy tag (sp): The sp= tag, included in the parent domain's DMARC record, allows you to specify a policy for all subdomains that differs from the organizational domain's main policy.
• Specific subdomain records: Publishing a unique DMARC TXT record for a particular subdomain (_dmarc.subdomain.example.com) will override both the parent domain's policy and any sp= tag.
• Single DMARC record: Only one DMARC TXT record is permitted per domain or subdomain. Multiple records will cause conflicts and invalid configurations.

Key considerations

• DNS TXT record format: DMARC policies are always published as TXT records with the hostname _dmarc for the domain or subdomain in question.
• Policy decision: Carefully consider whether a specific subdomain policy is genuinely necessary or if the inherited policy, possibly modified by an sp tag, sufficiently meets your email security and deliverability needs. For more, explore DMARC policies for organizational domains and subdomains.
• Authentication alignment: Ensure that your SPF and DKIM records are correctly configured for your subdomains to achieve DMARC alignment, which is critical for email validation. For example, check using different DMARC records for subdomains.
• Syntax accuracy: Accurate DMARC tag syntax is paramount for the correct interpretation and enforcement of your policies by receiving mail servers. Refer to guides on DMARC tags and their meanings.