Can I send from my main domain email address if my sending domain is a subdomain?

It is generally not recommended to send from your base domain's email address if your sending domain (the one signing with DKIM and in the Return-Path) is a subdomain and you have strict DKIM alignment. The From: header domain needs to align with the signing domain for DMARC to pass. Using a relaxed DMARC alignment policy can help, as it allows the d= domain to be a subdomain of the From: domain. Alternatively, you can use a reply-to address from your base domain.

What is DKIM alignment and why does it matter for subdomains?

DKIM alignment refers to the relationship between the domain in the From: header (RFC 5322.From) and the domain that signed the email with DKIM (the d= tag). For DMARC to pass, these domains must align. If they don't, the email will fail DMARC, potentially leading to it being rejected or sent to spam. This is crucial for subdomains because third-party senders often sign with their own subdomains, requiring a relaxed alignment policy to ensure DMARC passes.

How does subdomain warm-up work and why is it necessary?

Subdomain warm-up is the process of gradually increasing your sending volume and engagement from a new subdomain. ISPs closely monitor new sending domains for suspicious activity. By starting small with highly engaged recipients and slowly escalating, you build a positive sender reputation over time. This signals to ISPs that you are a legitimate sender, which helps your emails avoid spam folders and anti-phishing blocklists. This process is essential for any new email sending infrastructure, whether it's a new domain, subdomain, or IP address.

How to configure email authentication and warm up subdomains for improved deliverability and to avoid anti-phishing warnings? - Technical - Email deliverability - Knowledge base

Q: How can I reduce anti-phishing warnings from Microsoft Outlook?

To reduce anti-phishing warnings from Microsoft, ensure your SPF, DKIM, and DMARC records are correctly configured and aligned. Using relaxed alignment for DKIM is often beneficial if you use third-party senders. These warnings (such as "Caution: this mail is from an external source") are often triggered by perceived impersonation or inconsistencies in authentication. Strong authentication helps mailbox providers trust your sending domain, reducing the likelihood of such warnings.

Achieving excellent email deliverability is more critical than ever, especially with major inbox providers tightening their requirements. It's not just about getting emails into inboxes, but also about building and maintaining a trustworthy sender reputation. A key part of this involves robust email authentication protocols and a strategic approach to using subdomains, including a proper warm-up process. Neglecting these aspects can lead to emails landing in spam folders, or worse, triggering anti-phishing warnings that erode recipient trust.

For anyone managing email, especially when using third-party sending platforms, understanding how your domain and subdomain interact with authentication standards like SPF, DKIM, and DMARC is vital. This also directly influences how mailbox providers perceive your messages and whether they might flag them as suspicious. Let's explore how to navigate these complexities to ensure your emails reach their intended recipients without unnecessary warnings.

Suped DMARC monitoring

Free forever, no credit card required

Learn more

Trusted by teams securing millions of inboxes

Laying the foundation: SPF, DKIM, and DMARC

Email authentication is the bedrock of good deliverability, providing clear signals to mailbox providers that your emails are legitimate and haven't been tampered with. The three core protocols are SPF, DKIM, and DMARC. I always recommend setting these up correctly for all your sending domains and subdomains.

SPF (Sender Policy Framework) allows you to specify which mail servers are authorized to send email on behalf of your domain. It's a TXT record added to your DNS that lists authorized sending IPs and domains. This helps prevent spammers from sending emails that appear to come from your domain, known as spoofing. When a receiving server gets an email from your domain, it checks your SPF record to verify if the sending IP is on your approved list. If it isn't, the email might be flagged or rejected.

DKIM (DomainKeys Identified Mail) adds a digital signature to your outgoing emails, allowing the receiving server to verify that the email was truly sent by the domain it claims to be from and that the message hasn't been altered in transit. This signature is cryptographically linked to your domain via a public key published in your DNS. Proper DKIM configuration is crucial because it gives mailbox providers confidence in the email's integrity and sender identity, which is key to avoiding spam filters and anti-phishing warnings.

DMARC (Domain-based Message Authentication, Reporting & Conformance) builds on SPF and DKIM by instructing receiving servers on how to handle emails that fail authentication and provides reporting on these failures. This allows you to gain visibility into email streams claiming to be from your domain, including legitimate ones and potential phishing attempts. A DMARC record specifies a policy (none, quarantine, or reject) and a reporting address. You can learn more about configuring these settings in our guide on email authentication best practices. Here's an example of a DMARC record:

Example DMARC recordDNS

v=DMARC1; p=none; rua=mailto:dmarc_reports@yourdomain.com; ruf=mailto:dmarc_forensics@yourdomain.com; fo=1; adkim=r; aspf=r;

Leveraging subdomains for improved deliverability

Using subdomains is a powerful strategy to protect your main domain's reputation and improve deliverability for different email streams. Instead of sending all your emails (transactional, marketing, cold outreach) from your primary domain, you can create dedicated subdomains for each purpose.

This separation is crucial because it isolates the reputation of each sending activity. For example, if your marketing emails from marketing.yourdomain.com receive high spam complaints or get blocklisted, it won't directly impact the deliverability of your critical transactional emails sent from transactional.yourdomain.com. This creates a buffer that shields your core brand from potential deliverability issues associated with specific email types.

When you establish a subdomain, you'll need to configure its own set of SPF, DKIM, and DMARC records. This ensures that each subdomain has proper authentication and contributes to a healthy sender reputation. You can read more about DNS lookups, SPF records, and subdomain usage for deliverability. Here’s a comparison of sending approaches:

Sending from root domain

Risk consolidation: All email types share the same sender reputation, meaning a problem with one type (e.g., marketing spam complaints) can affect all others.
Deliverability impact: A single blocklist or poor engagement can negatively impact your entire domain's ability to reach the inbox, potentially affecting your core business communications.
Warm-up: New root domains require a longer and more cautious warm-up, as their entire reputation is being built from scratch.

Sending from subdomains

Reputation isolation: Each subdomain develops its own reputation, protecting your primary domain and other subdomains from localized issues.
Improved deliverability: By segmenting email types, you can optimize sender practices for each, leading to better inbox placement across the board.
Targeted warm-up: Subdomains can be warmed up more quickly and with less risk to your main domain. For instance, cold outreach subdomains can be more aggressively warmed.

DKIM alignment and combating anti-phishing warnings

One common point of confusion arises with DKIM alignment, especially when using a third-party email service provider (ESP) or when trying to send from your base domain while using a subdomain for technical sending. The d= tag in your DKIM signature identifies the domain that signed the email. For DMARC to pass, this signing domain (DKIM d=) must align with your From: header domain.

There are two types of alignment: strict and relaxed. Strict alignment requires an exact match between the domains. Relaxed alignment, on the other hand, allows for the d= domain to be a subdomain of the From: header domain. For most senders, particularly those using ESPs, relaxed alignment is the recommended approach. It offers flexibility while still providing strong authentication.

The benefits of relaxed alignment

Using relaxed alignment for DKIM is especially beneficial when you send through third-party platforms. These platforms often use their own subdomains for the technical sending domain (the RFC 5321.MailFrom or Return-Path), which is then signed by DKIM. If your DMARC policy is set to strict alignment, and the DKIM signing domain is a subdomain, it will fail DMARC checks even if it's a legitimate email. Relaxing the alignment allows these emails to pass authentication. This helps you avoid issues with deliverability and anti-phishing warnings.

Microsoft (Outlook) sometimes adds anti-phishing warnings, such as "Caution: this mail is from an external source" or alerts about user impersonation. These warnings can be triggered if the sending domain or subdomain appears similar to a previously known sender (a "cousin domain" attack) or if there are perceived inconsistencies in authentication. While you can't directly control what receiving servers add to the message, ensuring your SPF, DKIM, and DMARC are correctly configured, especially with relaxed alignment where appropriate, is the best defense. This is critical for improving your domain reputation and minimizing these warnings.

Warming up your subdomains for optimal trust

Even with perfect authentication, a new subdomain needs to be warmed up. This process gradually builds its sender reputation with mailbox providers. Starting with a low volume of emails to highly engaged recipients and slowly increasing the volume and diversifying recipients over time teaches ISPs that your new subdomain is a legitimate sender of desired mail. This is especially true when switching to a new subdomain.

For example, if you're migrating to a new CRM or an email service provider that requires you to send from a new subdomain, it's highly beneficial to configure that subdomain in your old platform first. Use it to send to your most engaged and transactional lists for a period. This initial sending activity helps build a positive sending history for the new subdomain before you fully migrate your high-volume sends.

The warm-up schedule will depend on your sending volume and the type of emails you send. It's a careful balancing act to avoid triggering spam filters or getting your subdomain on a blocklist (or blacklist). I've found that a methodical, step-by-step approach yields the best results. Here's a typical warm-up schedule:

Day	Volume Sent	Engagement Focus
Days 1-3	1,000-2,000	Highly engaged subscribers, transactional emails
Days 4-7	2,000-5,000	Recently active subscribers, low-priority marketing emails
Days 8-14	5,000-10,000+	Broader engaged segments, regular marketing campaigns

Views from the trenches

Best practices

Ensure your DMARC policy is set to 'p=none' during initial setup to gather reports without impacting delivery.

Use dedicated subdomains for different email streams (e.g., transactional, marketing) to isolate reputation.

Always align your DKIM signing domain with your 'From:' header domain, using relaxed alignment for third-party senders.

Common pitfalls

Setting a strict DMARC policy (p=reject or p=quarantine) too early without monitoring reports can block legitimate emails.

Not warming up new subdomains or IP addresses, leading to immediate spam folder placement or blocklisting.

Ignoring DMARC reports, which provide crucial insights into authentication failures and potential spoofing attempts.

Expert tips

Monitor your domain reputation metrics in Google Postmaster Tools and other feedback loops for early warning signs.

Regularly review your SPF, DKIM, and DMARC records to ensure they are correct and optimized.

Segment your email lists based on engagement and send to active subscribers to maintain a high sender reputation.

Marketer view

Marketer from Email Geeks says that strict DKIM alignment often causes issues when using third-party senders, as it prevents their subdomains from aligning with your main domain's 'From:' header. Relaxed alignment is typically the solution here.

2024-07-02 - Email Geeks

Marketer view

Marketer from Email Geeks says that the Microsoft anti-phishing headers that warn recipients are generally outside of the sender's control once the message is handed over. Focusing on proper authentication is the best approach to mitigate them.

2024-07-03 - Email Geeks

Ensuring a robust email sending infrastructure

Configuring email authentication with SPF, DKIM, and DMARC is fundamental to ensuring your emails reach the inbox and avoid anti-phishing warnings. Strategic use of subdomains further enhances deliverability by isolating sender reputation for different email streams. Remember that DMARC alignment, particularly relaxed alignment, is often key when working with third-party senders, ensuring your emails pass authentication even when signed by a subdomain.

Finally, don't underestimate the importance of warming up your subdomains. A careful, gradual approach to sending volume will build trust with internet service providers (ISPs) and establish a positive sending history. By diligently implementing these practices, you can significantly improve your email deliverability, enhance sender reputation, and minimize unwanted warnings.