Why is DMARC failing for my subdomain, and how does the Public Suffix List affect DMARC alignment?

Key findings

• PSL impact: When a domain is on the Public Suffix List, it's treated like a top-level domain (e.g., .com or .org), which can disrupt DMARC's organizational domain alignment logic for its subdomains.
• Subdomain alignment: If a subdomain (e.g., m1.ghost.io) is used for sending, but the From: header uses the root domain (e.g., ghost.io), and the root domain is on the PSL, it can cause DMARC failures due to misalignment.
• Cached PSL data: Mail receivers often use static, cached snapshots of the PSL. Even if a domain is removed from the current PSL, older systems might still use an outdated list where the domain was present, leading to ongoing DMARC failures.
• DMARC policy inheritance: Typically, DMARC policies set on the root domain apply to subdomains. However, explicit subdomain DMARC records or a domain's PSL status can affect this inheritance.

Key considerations

• Consistent alignment: Ensure that the domain in your From: header consistently aligns with the domain authenticated by SPF or DKIM. If you're sending from a subdomain, consider having your From: address also use a subdomain to maintain alignment.
• PSL review: If you're experiencing DMARC issues with subdomains, check if your root domain is, or ever was, on the Public Suffix List. This could be a persistent cause of misalignment. You can learn more about how DMARCbis will impact future changes via this article on DMARCbis.
• Record setup for subdomains: Understand whether you need to set up DMARC records for subdomains explicitly or rely on inheritance from your root domain. While the sp tag on the root DMARC record controls subdomain policy, PSL issues can override expected behavior. Refer to this guide on DMARC policy application.
• Monitoring and testing: Regularly monitor DMARC reports and use email testing tools to verify alignment and DMARC pass/fail results for all your sending domains and subdomains. This helps identify when DMARC is failing and track down the specific cause.

Key opinions

• Unexpected failures: Many marketers are puzzled when DMARC fails for subdomains despite SPF and DKIM passing, especially when the DMARC policy is set to p=NONE, suggesting a deeper, non-obvious issue.
• Subdomain inheritance: The common belief is that a root domain's DMARC policy should automatically apply to subdomains, making failures for subdomains sending as the root domain particularly confusing.
• Third-party senders: Using various sending platforms often introduces complexities in maintaining consistent DMARC alignment across different subdomains and their corresponding From: addresses.
• Troubleshooting difficulty: Without detailed header analysis or DMARC reports, pinpointing the exact cause of subdomain DMARC failures remains a significant challenge for marketers.

Key considerations

• Domain consistency: For email sent from a subdomain, always ensure the From: header consistently uses the subdomain to maintain alignment, especially if the root domain's PSL status is ambiguous.
• DMARC record review: Regularly check your DMARC records for both root and subdomains. While sp=NONE might seem permissive, underlying PSL issues can still cause problems. Kinsta provides methods for fixing DMARC errors.
• Utilize DMARC reports: Leverage DMARC aggregate and forensic reports to identify specific sources of failure, even for subdomains. These reports can provide clues about unexpected domain treatments. Learn more about DMARC authentication seeming correct but failing anyway.
• Clear subdomain strategy: Define a clear strategy for using subdomains in your email program, especially regarding how their From: addresses and authentication records are configured relative to the root domain.

Key opinions

• PSL as a root cause: The Public Suffix List being used by DMARC for organizational domain determination is a critical factor in unexpected subdomain failures.
• Cached versions: Older, cached versions of the PSL on receiving mail servers can cause persistent DMARC failures for domains that were once, but are no longer, on the PSL.
• Alignment logic: DMARC checks TLD+1 based on the PSL. If a domain is on the PSL, its subdomains become their own TLD+1, breaking expected alignment with the registered domain.
• Mitigation: To ensure DMARC passes reliably, it's advised to avoid using the bare root domain (if it's a PSL entry) in the From: header or DKIM d= tag, instead consistently using subdomains.

Key considerations

• PSL's original intent: Understand that the PSL was designed primarily for browser cookie isolation, and its adoption by DMARC has led to some conflicting behaviors in email authentication.
• Impact of adkim and aspf: Even with relaxed alignment (r), the PSL's influence on the organizational domain can cause failures when a subdomain is used for sending and the From: header is the root domain (or vice versa). More on DMARC policy application with subdomains is available in this article.
• DMARCbis developments: The proposed DMARCbis update includes a domain walk alignment algorithm to address PSL complexities, but wide support and adoption are still some time away. More details are available from Only Influencers on DMARC changes.
• Debugging tools: Tools that provide deep insights into email headers and DMARC alignment can uncover issues not immediately apparent, such as those related to PSL interpretation by different receiving systems. Further information is available on how to debug DMARC issues.

Key findings

• Organizational domain definition: The Public Suffix List helps identify the 'organizational domain' (or TLD+1), which is the effective root domain for a given hostname, critical for DMARC alignment.
• DMARC alignment rules: DMARC requires that the domain in the From: header aligns with either the SPF-authenticated domain (Mail From) or the DKIM-signed domain (d= tag).
• PSL's impact on alignment: If a domain is listed on the PSL, its immediate subdomains are treated as separate organizational domains, which can cause alignment failures if the From: header doesn't match this new 'effective root'.
• Subdomain policy (sp tag): The DMARC sp tag allows for a specific DMARC policy for subdomains, which can override the main p policy but doesn't resolve underlying PSL alignment issues.

Key considerations

• Strict vs. relaxed alignment: Understand the difference between strict (s) and relaxed (r) alignment tags, as PSL entries primarily affect strict alignment by changing the perceived organizational domain. DuoCircle provides additional causes and solutions for DMARC failures on their website.
• Domain registration and PSL: If you operate a domain that acts like a top-level domain for user-controlled subdomains (e.g., dynamic DNS services), adding it to the PSL might be necessary for browser security but will complicate DMARC.
• DKIM d= tag: Ensure the domain specified in the DKIM d= tag is properly set to align with the From: header's organizational domain, taking into account any PSL influences. Resolve DKIM failures for subdomains with proper setup.
• Future DMARC standards: Be aware of ongoing discussions and proposals, like DMARCbis, which aim to clarify and potentially revise how domain alignment works to alleviate current PSL-related issues. SIDN discusses this in their guide on implementing DMARC.