What is the best practice for DMARC record placement for subdomains?

Key findings

• Inheritance: A subdomain without its own DMARC policy will automatically inherit the policy set on the parent domain, including the p and ruf or rua tags, unless an sp tag is present for subdomains. This is highlighted by eSecurity Planet.
• Granular control: Placing a DMARC record directly on a subdomain allows for a policy that is independent of the organizational domain's policy, providing more precise control over email authentication for specific sending purposes, such as marketing or transactional emails.
• Simplification: For simpler configurations, especially when administrative ownership is centralized, a single DMARC record at the organizational domain with an sp tag can be sufficient for managing all subdomains.
• Complexity management: Managing numerous individual DMARC records for many subdomains can become complex. A centralized record (with sp) can simplify this for certain setups.

Key considerations

• Administrative control: Consider who manages the domain and subdomain DNS records. Centralized control often favors a single organizational DMARC record, while distributed management might lean towards individual subdomain records.
• Policy differentiation: If different subdomains require distinct DMARC policies (e.g., p=none for some, p=reject for others), individual subdomain records are necessary. This aligns with overall DMARC, DKIM, and SPF setup best practices.
• Ease of management: Weigh the convenience of a single overarching policy against the flexibility of subdomain-specific policies. A simple guide to DMARC, SPF, and DKIM often recommends starting simple and expanding as needed.
• Future scalability: Anticipate future changes in your email sending infrastructure. If you plan to introduce many new subdomains with varying sending requirements, a flexible DMARC strategy that accommodates both root and subdomain level policies might be best.

Key opinions

• Centralized preference: Many marketers prefer placing the DMARC record at the organizational domain with an sp= tag, as it feels more organized and simpler to understand quickly.
• Situational flexibility: There is no one-size-fits-all answer, and the best approach depends on specific organizational needs and administrative ownership of the domain. This aligns with Mailgun's approach to DMARC implementation.
• Policy variety: DMARC offers many options beyond just p=none, p=quarantine, or p=reject, allowing for nuanced control over subdomain policies.

Key considerations

• Organizational domain ownership: The decision often hinges on whether the team or individual has administrative ownership of the root domain. This dictates the level of control and ease of implementing a centralized DMARC record.
• Avoiding confusion: Having separate records for numerous different subdomains can lead to confusion and management overhead. A single record with the sp= tag for subdomains is often preferred for maintaining order.
• Policy rollout strategy: Marketers should consider how to safely transition DMARC policy to quarantine or reject across subdomains, whether through inheritance or specific subdomain records. This is critical for avoiding deliverability issues when moving beyond p=none.
• Understanding options: It's important to be aware of the full range of DMARC policy options available beyond just the basic policy directives, as these can offer additional flexibility for subdomain management. Marketers should know when to use p=none, p=quarantine, or p=reject.

Key opinions

• Organizational domain preference: Experts often recommend that the organizational domain should have a DMARC record, even if it's just p=none, to establish a baseline policy. This is a common starting point for understanding DMARC tags and their meanings.
• Independent policies: Publishing DMARC records for specific subdomains allows them to act independently of the organizational domain's policy, particularly if their policies differ. This is crucial for managing the distinct email streams that may originate from various subdomains.
• Subdomain policy inheritance: The sp (subdomain policy) tag within the organizational DMARC record allows a single policy to be applied to all subdomains that do not have their own explicit DMARC record. DuoCircle highlights how DMARC manages domains and subdomains through this mechanism.

Key considerations

• Policy differentiation: Consider whether different policies are required for different subdomains. For instance, a marketing subdomain might need a p=none policy for monitoring, while an internal communication subdomain could safely use p=reject.
• Alignment issues: Pay close attention to how SPF and DKIM alignment works with subdomains. Sometimes, DMARC authentication can fail even when SPF and DKIM pass due to domain alignment issues, and understanding why DMARC fails is crucial for subdomains.
• Delegated sending: If subdomains are used by third-party senders or different departments, allowing them to manage their own DMARC records (or inheriting a carefully chosen sp policy) can be more practical.

Key findings

• Default inheritance: If a subdomain does not have its own DMARC TXT record, it automatically inherits the DMARC policy from its parent (organizational) domain. This is a fundamental aspect of DMARC's design.
• Subdomain policy tag (sp): The sp tag in the organizational domain's DMARC record specifies the policy to be applied to all its subdomains. This policy takes precedence over the inherited p tag for subdomains.
• Explicit subdomain records: Publishing a DMARC record directly on a subdomain overrides any inherited or sp-defined policy from the organizational domain. This provides ultimate control at the subdomain level.

Key considerations

• DNS zone management: DMARC records are TXT records published in your domain's DNS zone. Understanding your DNS provider's interface (e.g., DNS Zone Editor) is essential for proper placement, as detailed by SiteGround.
• Policy choice: The policy chosen (none, quarantine, reject) for the organizational domain and any sp tag, or for individual subdomains, should align with the organization's risk tolerance and email sending maturity. Refer to DMARC record and policy examples.
• Comprehensive authentication: DMARC relies on SPF and DKIM for authentication. Ensuring these protocols are correctly configured for all sending sources, including those on subdomains, is paramount for DMARC to function effectively. Consult resources on where SPF, DKIM, and DMARC records should be placed.