Summary
DMARC failures on subdomains often arise from a combination of factors, including SPF and DKIM alignment issues, the impact of the Public Suffix List (PSL), and misconfigured subdomain DMARC policies. Alignment problems occur when the 'From:' header domain doesn't match the domain used for authentication (SPF or DKIM). The PSL affects how organizational domains are determined, potentially treating subdomains and parent domains separately. Explicitly defining subdomain DMARC policies and using relaxed alignment settings can help, especially with diverse sending infrastructures. Forwarding can break SPF alignment, and exceeding the SPF include limit or failing to set explicit authentication methods on subdomains are also common pitfalls. A past listing on the PSL can also cause persistent issues due to caching. Managing subdomain delegation, carefully configuring SPF/DKIM, and being mindful of root domain policies are critical for success.
Key findings
- Alignment Problems: DMARC failures frequently stem from SPF and DKIM alignment issues, where the 'From:' header domain doesn't match the authentication domain.
- PSL Influence: The Public Suffix List (PSL) affects how DMARC determines organizational domains, potentially causing misalignment between subdomains and parent domains.
- Policy Configuration: Subdomain DMARC policies are often misconfigured, leading to failures if not explicitly set or if they conflict with parent domain policies.
- Relaxed Alignment Benefits: Using relaxed alignment ('aspf=r' or 'adkim=r') can improve DMARC results, especially when different sending providers are used for subdomains.
- Persistent PSL Issues: Past listings on the PSL can continue to cause DMARC problems due to caching, even after the domain is removed.
- Delegation issues: Managing Subdomain delegation has not been taken into consideration
Key considerations
- SPF/DKIM Setup: Ensure proper SPF and DKIM configuration for each subdomain, aligning with the 'From:' domain.
- PSL Awareness: Be aware of the Public Suffix List (PSL) and its potential impact on subdomain alignment, including the possibility of persistent issues due to caching.
- Explicit Policies: Define explicit DMARC policies for subdomains, avoiding conflicts with parent domain policies and considering relaxed alignment.
- Sending Infrastructure: Pay close attention to SPF and DKIM setup when using different sending infrastructures for subdomains, and consider SPF flattening if the include limit is reached.
- Forwarding Impact: Be aware that forwarding can break SPF alignment, leading to DMARC failures.
What email marketers say
10 marketer opinions
DMARC failures on subdomains often stem from issues related to SPF and DKIM misalignment, particularly regarding the 'From:' header domain. The Public Suffix List (PSL) can also cause misalignment if a subdomain and its parent domain are both listed, treating them as separate entities. Explicitly defining subdomain DMARC policies and using relaxed alignment settings ('aspf=r' or 'adkim=r') can help, especially when using different sending providers for subdomains. Managing subdomain delegation and ensuring proper SPF and DKIM configuration for each subdomain's infrastructure is also crucial. Forwarding can break SPF alignment, leading to DMARC failures. Exceeding the SPF include limit and not setting explicit authentication methods on subdomains are other common pitfalls.
Key opinions
- PSL Impact: The Public Suffix List (PSL) can cause DMARC alignment issues if both the subdomain and its parent domain are listed, treating them as separate entities.
- Alignment Issues: SPF and DKIM misalignment, particularly concerning the 'From:' header domain, is a frequent cause of DMARC failures on subdomains.
- Explicit Policies: Explicitly defining DMARC policies for subdomains is crucial to ensure they don't default to restrictive settings.
- Relaxed Alignment: Using relaxed alignment settings ('aspf=r' or 'adkim=r') can mitigate DMARC failures, especially when different providers are used for subdomains.
- SPF Include Limit: Exceeding the SPF include limit (10 DNS lookups) can lead to SPF check failures, affecting DMARC results.
- Explicit Authentication Method: DMARC requires you to explicitly set an authentication method to SPF or DKIM on either the subdomain itself or on the root domain.
Key considerations
- Subdomain Delegation: Carefully manage subdomain delegation, especially when different teams or services use different subdomains.
- Infrastructure Configuration: Ensure proper SPF and DKIM configuration for each subdomain's unique sending infrastructure.
- Forwarding Impact: Be aware that forwarding can break SPF alignment, causing DMARC failures.
- Policy Restrictiveness: Avoid overly restrictive DMARC records for subdomains; consider using relaxed alignment for better compatibility.
- SPF Flattening: If using multiple third-party services and approaching the SPF include limit, consider using SPF flattening.
Marketer view
Email marketer from StackOverflow shares that DMARC failures often stem from SPF and DKIM misalignment. Specifically, the 'header from' domain should align with the domain that passes SPF or DKIM. He shares that if your subdomain is sending emails, and the SPF record is misconfigured to include the top level domain, this may cause a problem if there are different providers sending from the subdomains. Additionally DMARC needs to be explicitly set to 'relaxed' alignment
17 Jul 2023 - StackOverflow
Marketer view
Email marketer from Mailhardener explains that the Public Suffix List (PSL) can impact DMARC alignment. The PSL defines which domains are considered top-level domains. If a subdomain and its parent domain are both on the PSL, they are treated as separate entities, and DMARC alignment will fail unless explicitly configured to allow it.
9 Jun 2022 - Mailhardener
What the experts say
5 expert opinions
DMARC failures on subdomains can be attributed to the domain being previously listed on the Public Suffix List (PSL), which is cached and persists even after removal. The PSL influences how DMARC determines organizational domains for alignment, affecting whether subdomains are treated as part of the parent domain. This impacts SPF and DKIM authentication, potentially leading to alignment failures. To mitigate this, avoid using the bare domain in email communications or consider not adding your domain to the PSL in the first place. Also, publishing DMARC records on the root domain might enable subdomains to inherit the policy.
Key opinions
- PSL Caching: The Public Suffix List (PSL) is cached, meaning past listings can continue to affect DMARC even after removal.
- Organizational Domains: The PSL influences how DMARC determines organizational domains, which affects alignment between subdomains and parent domains.
- Alignment Impact: PSL listings can cause DMARC to treat subdomains as separate entities, leading to authentication failures.
- Domain Use: Using the bare domain in email communications can lead to authentication problems due to PSL-related alignment issues.
Key considerations
- Avoid PSL Listing: Carefully consider the implications before adding your domain to the Public Suffix List.
- Root Domain Policy: Publishing DMARC records on the root domain can enable subdomains to inherit the policy, simplifying management.
- Alternative Domains: Consider using an alternative domain if issues persist due to past PSL listings.
- Domain Usage: Be cautious of using bare domain names in email addresses.
Expert view
Expert from Word to the Wise explains not to add your domain to the Public Suffix List. He shares the PSL's original purpose was to isolate cookies and now it also affects email. Because it causes issues with email authentication he says not to request your domain be added to the list.
22 Sep 2022 - Word to the Wise
Expert view
Expert from Word to the Wise explains how organizational domains, influenced by the Public Suffix List (PSL), impact DMARC. He shares that DMARC relies on the concept of organizational domains to determine if the domain in the 'From:' header aligns with the domain used for SPF or DKIM authentication. The PSL defines which domains are considered top-level domains, affecting how DMARC evaluates alignment. He also explains how DMARC alignment could fail unexpectedly if the sending and receiving domains aren't considered to be in the same organizational domain.
11 Sep 2022 - Word to the Wise
What the documentation says
5 technical articles
DMARC failures on subdomains are frequently caused by SPF or DKIM alignment issues, where the domain in the 'From:' header doesn't match the domain used for authentication. The Public Suffix List (PSL) plays a crucial role in determining the organizational domain for alignment, potentially causing subdomains and parent domains to be treated separately if the PSL is in effect. Proper configuration of SPF and DKIM records for each subdomain is essential, ensuring alignment with the 'From:' domain. Conflicts with the parent domain's DMARC policy must be avoided. RFC7489 highlights the 'organizational domain' check and the impact of the PSL on this check.
Key findings
- Alignment is Key: DMARC failures often arise from misalignment between the 'From:' header domain and the domain used for SPF or DKIM authentication.
- PSL Influence: The Public Suffix List (PSL) determines the organizational domain, impacting how subdomains and parent domains align for DMARC checks.
- Subdomain Configuration: Proper SPF and DKIM configuration is crucial for each subdomain to ensure DMARC passes.
- Conflict Avoidance: Conflicts between subdomain and parent domain DMARC policies can lead to DMARC failures.
Key considerations
- Authentication Setup: Carefully configure SPF and DKIM records for each subdomain, ensuring correct alignment with the 'From:' domain.
- PSL Awareness: Be aware of the Public Suffix List (PSL) and its potential impact on subdomain alignment.
- Policy Management: Manage DMARC policies for subdomains to prevent conflicts with parent domain policies.
- Third-Party Senders: Pay close attention to SPF and DKIM setup when using third-party senders for subdomains.
Technical article
Documentation from Microsoft explains that a common reason for DMARC failure is incorrect SPF or DKIM setup on the subdomain. The domain used in the 'From:' header needs to align with the SPF or DKIM records for that specific subdomain. Misalignment, especially with third-party senders, can lead to DMARC failures.
30 Sep 2024 - Microsoft
Technical article
Documentation from Google explains that DMARC failures can occur due to SPF or DKIM alignment issues. If the domain in the 'From:' header doesn't match the domain used to authenticate the email (either SPF or DKIM), DMARC will fail. Subdomain DMARC policies can also be misconfigured, leading to failures if not set up correctly to handle subdomain sending.
7 May 2024 - Google
Do I need DMARC for transactional emails from a small website, and what are the best low-cost alternatives for sending emails if my IP is blocked?
Do I need to set up DMARC for subdomains?
How can I use DMARC to prevent spammers from using my domain?
How do DMARC records on subdomains override root domain DMARC policies?
How do I properly set up DMARC records and reporting for email authentication?
What are SPF, DKIM, and DMARC, and when are they needed?
