Summary
When sending marketing emails from a subdomain while signing with the primary domain, a consistent approach to SPF, DKIM, and DMARC configuration emerges from various sources. SPF records must be created for the sending subdomain, listing authorized sending sources. DKIM records are generated for the primary domain and placed in the primary domain's DNS, with the subdomain configured to sign emails using the primary domain's DKIM key. DMARC is set up on the primary domain to define policies, with the option to specify subdomain-specific policies using the 'sp' tag. Correct setup ensures proper authentication and improves deliverability.
Key findings
- SPF Configuration: SPF records are essential for the sending subdomain, not the primary domain, to authorize sending sources.
- DKIM Configuration: DKIM records are created for the primary domain, while the sending subdomain must be configured to sign messages with the primary domain’s DKIM key.
- DMARC Configuration: DMARC records are set up on the primary domain, with flexibility to define subdomain-specific policies using the 'sp' tag.
- Key Domain: DKIM signing inherently uses the primary domain with a specific pattern in the DNS record (selector._domainkey).
Key considerations
- Authorized Sending Sources: It's vital to accurately list all authorized sending sources (IPs/services) in the SPF record of the sending subdomain.
- Policy Application: Carefully consider whether subdomains should inherit the primary domain’s DMARC policy or have separate policies defined.
- Alignment: Ensure the Return-Path is configured, and the DMARC is configured to check alignment of both SPF and DKIM.
- DNS Records: Add sub domains and main domains as records if you want to seperate DMARC polices. If you want to apply to both, add record to the main domain.
What email marketers say
11 marketer opinions
When sending marketing emails from a subdomain but signing with the primary domain, the key is to configure SPF, DKIM, and DMARC records correctly across both domains. For SPF, create a record for the subdomain that's sending the emails, authorizing the sending server's IP address or service. DKIM involves generating a key for the primary domain and placing the public key in the primary domain's DNS records; the sending server on the subdomain then signs emails using the primary domain's DKIM key. DMARC is configured on the primary domain to dictate how emails from subdomains are handled, and can be set up to apply the same policy or different policies to subdomains, with subdomain policies being defined using the 'sp' tag.
Key opinions
- SPF Record: SPF record must be created for the sending subdomain, not the primary domain.
- DKIM Record: DKIM record should be generated for the primary domain, with the public key placed in the primary domain's DNS.
- DMARC Policy: DMARC record is configured on the primary domain, which can apply to subdomains or define separate policies for them.
- Domain Alignment: Proper alignment of SPF and DKIM with the From address is crucial for DMARC compliance and optimal deliverability.
Key considerations
- Subdomain vs. Primary Domain Policy: Decide whether subdomains should inherit the primary domain's DMARC policy or have separate policies.
- SPF Authorization: Ensure the SPF record accurately reflects all authorized sending sources (IPs/services) for the subdomain.
- DKIM Key Management: Properly manage and rotate DKIM keys for enhanced security.
- DMARC Monitoring: Continuously monitor DMARC reports to identify and address any authentication issues.
Marketer view
Marketer from Email Geeks states the DMARC record will cover the primary domain and subdomains if a subdomain is not defined separately. To separate policies with one DMARC record, use p= for primary and sp= for subs inside the DMARC record. Separate DMARC records can also be created for primary and subdomains (_dmarc.subdomain).
28 Feb 2024 - Email Geeks
Marketer view
Email marketer from Postmark shares that for SPF, you'll need to create an SPF record for the subdomain from which you're sending emails. This record should include the IP addresses or authorized sending services used by the subdomain. For DKIM, create a DKIM record in your primary domain's DNS settings and configure your email sending service to sign emails using the DKIM key associated with your primary domain. DMARC settings should be placed in the primary domain.
20 Aug 2024 - Postmark
What the experts say
4 expert opinions
To configure SPF, DKIM, and DMARC when sending marketing emails from a subdomain but signing with the primary domain, you need to address each protocol individually. For SPF, create a record for the subdomain that specifies the authorized sending sources (IP addresses or sending services). For DKIM, set up DKIM signing using the primary domain's DKIM key, with the DKIM record residing in the primary domain's DNS. Finally, for DMARC, decide whether to apply the same policy to all subdomains or set individual policies, configuring the DMARC record on the primary domain accordingly using the 'sp' tag if needed. Proper setup of these ensures email authentication and improves deliverability.
Key opinions
- SPF Subdomain Record: An SPF record is necessary for the subdomain that sends the email, specifying the authorized sending sources.
- DKIM Primary Domain Key: DKIM signing should use the primary domain's DKIM key, and the record resides in the primary domain's DNS.
- DMARC Policy Choice: The DMARC record, configured on the primary domain, allows for either a uniform policy or subdomain-specific policies using the 'sp' tag.
- Email Authentication: Setting up SPF, DKIM, and DMARC ensures that your emails are properly authenticated
Key considerations
- Authorized Sending Sources: Ensure that the SPF record accurately reflects all the sending IPs and services for the subdomain.
- Key Configuration: Properly configure the DKIM and email server to use this DKIM key to sign the outgoing messages from the subdomain
- DMARC Policy Decision: Decide whether to use the same DMARC policy for all subdomains or individual policies for each. Configure the DMARC record appropriately.
Expert view
Expert from Word to the Wise notes that regarding DKIM, set up DKIM signing using the primary domain's DKIM key. The DKIM record will reside in the DNS of the primary domain. The subdomain sending email needs to be configured to use this DKIM key to sign the outgoing messages.
18 Nov 2023 - Word to the Wise
Expert view
Expert from Spamresource shares that setting up SPF, DKIM and DMARC ensures that your emails are properly authenticated. To setup SPF you must add a DNS record to show the IP address that can send emails from that server. To setup DKIM you need to create a public and private key, with the public key being added to the DNS. Finally setup DMARC to dictate your companies email policy, in order to dictate how SPF and DKIM will authenticate your emails.
3 Aug 2024 - Spamresource
What the documentation says
5 technical articles
When sending marketing emails from a subdomain but signing with the primary domain, documentation emphasizes the need to configure SPF for the sending subdomain itself, authorizing the sending source within that subdomain's DNS records. DKIM keys should be generated for the primary domain, with the DKIM record placed in the primary domain's DNS. DMARC policies can then be applied at the primary domain level, with the option to specify different policies for subdomains using the 'sp' tag. SPF lookups are performed against the 'MAIL FROM' address which is the subdomain.
Key findings
- SPF on Subdomain: SPF record is required on the sending subdomain to authorize the sending source.
- DKIM on Primary Domain: DKIM key is generated for the primary domain and the DKIM record is added to the primary domain's DNS.
- DMARC at Primary Level: DMARC policies are typically set at the primary domain level but can have specific configurations for subdomains.
- SPF Record Lookup: SPF lookups are performed against the domain found in the 'MAIL FROM' address (Return-Path), which in this case should be the subdomain.
Key considerations
- Accurate SPF Records: Ensure the SPF records accurately reflect all authorized sending sources (IPs/services) for each subdomain.
- DKIM Configuration: Ensure your subdomain is correctly configured to use the primary domain's DKIM key for signing emails.
- DMARC Implementation: Carefully consider whether to apply the same DMARC policy to all subdomains or configure specific policies for each.
Technical article
Documentation from DMARC.org clarifies that DMARC policies can be set for the primary domain and applied to subdomains, or specific policies can be created for individual subdomains. This is managed through the 'sp' tag in the DMARC record for subdomain-specific policies, or if no ‘sp’ tag is present, the ‘p’ tag applies to both.
24 Jan 2024 - DMARC.org
Technical article
Documentation from Google Workspace Admin Help explains that when sending from a subdomain, the SPF record should be added to the subdomain's DNS settings, not necessarily the primary domain. The SPF record should authorize the sending source (e.g., the IP address of the mail server or the sending service).
12 Jun 2025 - Google Workspace Admin Help
Can DKIM be set up on a subdomain, and which domain should be used for signing?
Do I need to set up DMARC for subdomains?
How can I improve SPF alignment and email deliverability when using Hubspot?
How can I resolve DMARC verification failures when using a subdomain for email sending?
How do I properly set up SPF and DKIM records for email marketing, including handling multiple SPF records, IP ranges, bounce capturing, and Google Postmaster Tools verification?
How do I set up SPF and DKIM records for new subdomains when using third-party email services?
