What is the best DMARC, DKIM, and SPF setup for marketing and transactional emails sent from different subdomains?

Key findings

• SPF alignment: SPF validation relies on the Return-Path domain. For SPF to align with DMARC, the Return-Path domain (also known as the MailFrom domain or envelope sender) must match the domain in the From: header or be a subdomain of it.
• Subdomain inheritance: DMARC policies published on the main domain (e.g., example.com) will automatically apply to all subdomains (e.g., marketing.example.com, transactional.example.com) unless a specific DMARC record is published for that subdomain. This is known as DMARC inheritance.
• Separate subdomains: Using separate subdomains for different email streams (marketing versus transactional) is a recommended practice. This strategy helps isolate reputation, preventing issues with one stream from negatively impacting the other.
• Explicit authentication: Each subdomain used for sending emails should have its own correctly configured SPF and DKIM records, even if DMARC is set at the organizational domain level. This ensures proper authentication for all outbound mail.
• DMARC policy for subdomains: While inheritance covers subdomains, explicit DMARC records for each subdomain (e.g., using `sp=`) provide granular control over their policies and reporting, overriding the main domain's policy.

Key considerations

• SPF record placement: Ensure your SPF record is published on the exact domain (subdomain or main domain) that serves as your Return-Path. If using a specific subdomain for sending, the SPF record should be on that subdomain.
• DKIM configuration: DKIM records should be set up for each sending subdomain. The `d=` tag in the DKIM signature should ideally match or be a parent domain of your From: header domain for DMARC alignment.
• DMARC policy: Publish a DMARC record on your main domain. Consider adding specific DMARC records for your subdomains to gain more control over their policies, especially for transactional emails which typically require higher deliverability rates. For more on the specifics, see this guide on email authentication.
• Alignment mode: While a DMARC policy set to relaxed (adkim=r; aspf=r) for SPF and DKIM allows subdomain alignment, a strict alignment (adkim=s; aspf=s) is generally preferred for stronger security, though it requires precise domain matching. Learn more about domain authentication best practices.
• Monitoring: Continuously monitor your DMARC reports to identify any authentication failures or unauthorized sending sources across all subdomains. This is key for maintaining deliverability.

Key opinions

• Reputation isolation: Marketers frequently advocate for separating marketing and transactional email streams onto different subdomains to protect the reputation of critical transactional emails from potential issues with bulk marketing sends.
• Deliverability focus: The main goal is to optimize deliverability. Proper SPF, DKIM, and DMARC setup, especially on subdomains, is seen as fundamental to achieving this, avoiding spam filters and blocklists.
• Complexity concerns: While understanding the necessity, marketers often find the technical setup of DMARC, DKIM, and SPF across multiple subdomains to be challenging and prone to errors, particularly concerning alignment.
• ESP integration: Many marketers rely on Email Service Providers (ESPs) and need clear guidance on how their ESP's sending practices integrate with their subdomain strategy for authentication.

Key considerations

• Clear subdomain strategy: Decide which subdomains will be used for each email type (marketing, transactional, operational) to ensure consistent authentication and reputation management.
• Vendor-specific setup: Work closely with your ESP to understand their specific requirements for SPF and DKIM setup on subdomains. Some ESPs manage certain aspects automatically.
• DMARC policy rollout: Start with a DMARC policy of `p=none` for monitoring before moving to `p=quarantine` or `p=reject` to avoid unintended blocking of legitimate emails. For example, optimize deliverability with DMARC.
• Continuous monitoring: Regularly check DMARC reports for all sending subdomains to quickly identify and resolve authentication issues, ensuring strong DNS records and subdomain usage.

Key opinions

• Return-Path importance: Experts consistently point out that SPF authentication depends on the Return-Path (envelope sender) domain, not necessarily the From: header. Alignment requires the Return-Path to be within the organizational domain of the From: address.
• Explicit DMARC for subdomains: It is generally advised to publish explicit DMARC records for subdomains, even if the main domain has a DMARC record. This provides more granular control and clearer reporting for each sending identity. More details can be found on DMARC policy best practices.
• Dedicated SPF records: If an ESP uses a custom domain for your SPF validation, ensure that the SPF record exists directly on that custom subdomain, not solely on your main domain.
• Monitoring tools: Utilizing tools to check SPF records and email authentication (like email authentication best practices) is highly recommended for diagnosing and resolving issues efficiently.

Key considerations

• Return-Path domain SPF: Ensure that the SPF record explicitly covers the Return-Path domain (MailFrom domain) used by your sending system, especially if it's a subdomain provided by an ESP. This is often the key to understanding wildcard, DKIM, and DMARC.
• Subdomain DMARC placement: Set up a distinct DMARC record for each subdomain if you need separate policies or more granular reporting for marketing versus transactional email streams. This overrides the main domain's inherited policy.
• Sender Policy Framework includes: Avoid including ESPs directly in your main domain's SPF record if they send from a dedicated subdomain with its own SPF. This prevents DNS lookup limits and maintains clarity.
• Alignment types: Understand the difference between relaxed and strict alignment for DMARC. While relaxed is more forgiving, strict alignment offers better protection against spoofing by requiring an exact domain match for SPF and DKIM.

Key findings

• SPF (Sender Policy Framework): Defines a mechanism for email senders to specify which IP addresses are authorized to send mail on behalf of a domain. It authenticates the Return-Path domain.
• DKIM (DomainKeys Identified Mail): Provides a method for email senders to cryptographically sign outgoing emails, allowing receivers to verify that the email was sent by an authorized sender and has not been tampered with in transit. It authenticates the `d=` domain in the DKIM signature.
• DMARC (Domain-based Message Authentication, Reporting & Conformance): Builds upon SPF and DKIM, instructing receiving mail servers on how to handle emails that fail authentication and providing reporting mechanisms. DMARC requires SPF and/or DKIM to align with the From: header domain.
• Subdomain policy inheritance: According to RFC 7489 (DMARC), a DMARC record published at the organizational domain level automatically applies to all its subdomains unless an explicit DMARC record is published for a specific subdomain using the `sp` tag.

Key considerations

• SPF record accuracy: Ensure your SPF record lists all authorized sending IPs and includes (e.g., include:esp.com) for each subdomain that sends mail. Remember the 10-DNS-lookup limit.
• DKIM domain alignment: The domain specified in the `d=` tag of your DKIM signature should be the same as, or a parent domain of, the From: header domain for DMARC alignment purposes. This is crucial for DMARC, SPF, and DKIM setup.
• DMARC policy application: For subdomains, if you want a policy different from your main domain, publish a specific DMARC record at `_dmarc.subdomain.yourdomain.com` with the `sp` tag (subdomain policy) set as desired. Refer to the email authentication basics.
• Reporting: Configure `rua` (aggregate) and `ruf` (forensic) DMARC report tags to receive feedback on email authentication results from receiving mail servers, helping to troubleshoot issues.