Why is DMARC failing for my subdomain, and how does the Public Suffix List affect DMARC alignment?
Michael Ko
Co-founder & CEO, Suped
Published 24 Apr 2025
Updated 18 Aug 2025
7 min read
Dealing with DMARC failures can be a frustrating experience, especially when all the signs point to your SPF and DKIM records being correctly configured. It's even more perplexing when DMARC passes for your main domain, but mysteriously fails for one of your subdomains, even when you expect it to inherit the parent policy.
The core of DMARC's effectiveness lies in domain alignment. When you send an email, DMARC checks if the domain in the From header (RFC5322.From) aligns with the domains authenticated by SPF (RFC5321.MailFrom, also known as Return-Path) or DKIM (d= domain). For subdomains, this typically means they should align with the parent domain if the DMARC record specifies a relaxed alignment.
However, there's a lesser-known factor that can severely impact DMARC alignment for subdomains: the Public Suffix List (PSL). This list, while serving a different primary purpose, plays a crucial and often overlooked role in how email authentication mechanisms interpret domain relationships. If your domain or one of its parents appears on this list, it can lead to unexpected DMARC failures.
DMARC authentication relies on SPF and DKIM passing and, crucially, aligning with the domain in the From header. Alignment can be either strict (exact match) or relaxed (subdomain matches organizational domain).
By default, a DMARC record published on a root domain, like example.com, applies to all its subdomains unless a specific DMARC record is published for that subdomain. The sp tag within a DMARC record allows you to define a separate policy for subdomains. For more on how these policies work, review DMARC policy application with subdomains and the DMARC sp tag.
Typically, if your DMARC record has adkim=r and aspf=r (relaxed alignment), an email sent from sub.example.com with a From address of @example.com should pass DMARC. This is because both sub.example.com and example.com share the same organizational domain. However, this is precisely where the Public Suffix List can introduce unexpected complications.
The Public Suffix List and its impact on DMARC
The Public Suffix List (PSL) is a list of domain suffixes that are considered public, meaning that anyone can register domains under them. Examples include .com, .org, and various country code top-level domains (ccTLDs). Its original purpose was to prevent malicious cookie handling across different websites. For DMARC, the PSL is used to identify the organizational domain (or effective TLD+1) for alignment checks. Learn more about the PSL's use in DMARC in this article.
The critical issue arises if your actual organizational domain (e.g., yourdomain.io) happens to be on the PSL itself. In such a scenario, DMARC checking software will treat yourdomain.io as a public suffix, just like .com. This means that subdomains like m1.yourdomain.io are then considered their own organizational domain. As a result, when an email with a From address of @yourdomain.io is sent from m1.yourdomain.io, the domains will be seen as misaligned, leading to DMARC failure.
This problem is further compounded by how the PSL is used. It's often cached or burned into the code of older email systems. Even if your domain is removed from the current PSL, older systems using outdated snapshots will continue to treat it as a public suffix, causing persistent DMARC failures. This is why it's generally advised not to add your domain to the PSL if you intend to use it for email.
Expected DMARC alignment
Standard behavior: A subdomain like sub.example.com should align with example.com under relaxed DMARC policies.
Alignment check: Both domains share the same organizational domain (example.com), allowing for alignment if SPF or DKIM passes.
PSL-affected DMARC alignment
PSL impact: If example.com is on the PSL, sub.example.com becomes its own organizational domain.
Alignment failure: Sending from sub.example.com with a From address of @example.com will fail DMARC alignment.
Diagnosing and resolving PSL-related DMARC failures
If you suspect PSL-related DMARC failures, the first step is to analyze your email headers and DMARC reports thoroughly. Tools that provide detailed breakdowns of SPF, DKIM, and DMARC results can help pinpoint the exact point of misalignment. Look for indicators where SPF or DKIM appear to pass, but DMARC reports show alignment failures, particularly when the organizational domain is identified differently than expected. This process is crucial for debugging DMARC authentication failures.
One common scenario that leads to these failures is when you are sending from a subdomain (e.g., m1.ghost.io) but using the root domain (ghost.io) in your From header. If ghost.io is (or was historically) on the PSL, then m1.ghost.io is treated as a distinct organizational domain. This leads to DMARC failure because m1.ghost.io is not the From domain.
Unfortunately, once a domain has been on the PSL, it can be extremely difficult to undo the impact on older, non-updated email systems that rely on outdated PSL snapshots. The most reliable mitigation strategy is to avoid using the affected domain directly in the From header or for DKIM signing. Instead, use a subdomain of the affected domain (e.g., mail.yourdomain.io) consistently for both sending and authentication. For a comprehensive list of DMARC tags, refer to our guide to DMARC tags.
PSL causes persistent DMARC failures
If your domain was ever on the Public Suffix List, even if it has since been removed, older email receiving systems that rely on cached or burned-in versions of the PSL will continue to treat your domain as a top-level suffix. This can result in DMARC alignment failures that are beyond your direct control to fix instantly, as it requires those systems to update their PSL data.
Proactive DMARC configuration for subdomains
To prevent DMARC issues related to subdomains, it's essential to configure your DMARC records carefully. While DMARC policies do propagate from root domains to subdomains by default, you can also publish explicit DMARC records for specific subdomains if needed. For guidance on how to configure your DMARC records for subdomains effectively, refer to our comprehensive article, Do I need to set up DMARC for subdomains?.
Always ensure your SPF and DKIM authentication is robust. For relaxed alignment, DMARC will pass if the organizational domain of your SPF or DKIM identifier matches the organizational domain of your From header. For a deeper understanding of these concepts, consider reading A simple guide to DMARC, SPF, and DKIM.
Key takeaways
Subdomain DMARC failures, particularly those influenced by the Public Suffix List, highlight the intricate nature of email authentication. While SPF and DKIM might pass, a hidden factor like an entry on the PSL can unexpectedly break DMARC alignment, leading to deliverability issues.
Understanding how the PSL impacts your organizational domain and its subdomains is crucial for maintaining consistent DMARC compliance. By carefully configuring your DMARC records and being aware of the nuances of domain alignment, you can significantly improve your email deliverability and protect your brand's reputation.
Views from the trenches
Best practices
Maintain separate DMARC records for subdomains if they have different sending behaviors or requirements than the root domain.
Always align your DKIM 'd=' domain or SPF 'Return-Path' domain with your 'From' header, ensuring both match the organizational domain.
Regularly monitor your DMARC reports, as they provide critical insights into alignment failures and potential PSL-related issues.
Use a subdomain for sending emails if your root domain has ever been listed on the Public Suffix List, to mitigate persistent alignment problems.
Common pitfalls
Assuming DMARC inheritance will always work perfectly for subdomains without considering specific configurations or external factors like the PSL.
Ignoring DMARC failure reports, leading to deliverability problems that could be caused by misinterpretations of domain relationships.
Not recognizing that older email systems might use outdated Public Suffix List data, causing DMARC failures even if your domain is no longer on the current list.
Having too short a DKIM signature expiry time, which can lead to legitimate emails failing DKIM validation if delivery is delayed.
Expert tips
Email Geeks expert steve589 suggests that if you cannot get the root domain to align for DMARC, consider using a different organizational domain entirely for email, such as one ending in .org instead of .io.
Email Geeks expert tvjames emphasizes that DMARC failures are often due to DNS configuration, even when it appears correct, so a deep dive into DNS records is always warranted.
Email Geeks expert aiverson clarified that if the DMARC record's SPF alignment mode is set to relaxed ('aspf=r'), SPF alignment is not strictly required for DMARC to pass.
Email Geeks expert steve589 advises that using an email analysis tool is crucial for spotting corner cases that are not immediately obvious from header snippets.
Expert view
Expert from Email Geeks says a subdomain alignment should typically pass, and if it does not, it often points to a DNS configuration issue.
2024-02-03 - Email Geeks
Expert view
Expert from Email Geeks says the Public Suffix List's treatment of a domain as a top-level domain can cause DMARC alignment failures for its subdomains.
