Do I need to set up DMARC for subdomains?
Summary
What email marketers say8Marketer opinions
Marketer from Email Geeks answers the question by stating `sp=` is for subdomains that don’t publish policy records.
Marketer from Email Geeks clarifies that subdomains are covered by the top-level domain's DMARC settings. Setting up separate DMARC for subdomains is only necessary if the subdomain's policy differs from the top-level domain.
Email marketer from Postmark discusses using subdomains to isolate sending reputation. This allows you to separate transactional and marketing emails, which can help with deliverability. Each subdomain needs it's own DMARC and DNS setup.
Email marketer from StackExchange details that SPF and DMARC work on the domain that is being checked, and the check does not automatically extend to any subdomains. In general, you will need an SPF and DMARC record for each subdomain.
Marketer from Email Geeks answers the question by stating that the subdomain's `p=` policy takes precedence over the top-level domain's `sp=` policy.
Email marketer from Reddit states it depends on your needs. If subdomains send mail, they need DMARC. If not, you can create a DMARC record to reject mail from those subdomains. Also recommends setting up DMARC for your main domain first before doing subdomains.
Marketer from Email Geeks explains that by default, subdomains inherit the parent domain's DMARC policy unless a specific policy is added to the subdomain.
Email marketer from EasyDMARC explains that if you have subdomains that send emails, you should set up DMARC for each subdomain. This ensures that the emails are authenticated and protected against spoofing and phishing attacks. If a subdomain doesn't send emails, create a DMARC record with a policy of `p=reject`.
What the experts say3Expert opinions
Expert from Spam Resource shares that while the site doesn't explicitly answer the question 'Do I need to set up DMARC for subdomains?', it offers extensive information on DMARC implementation, implying that if subdomains send email, setting up DMARC for them is best practice. It emphasizes the importance of DMARC for brand protection and deliverability across the entire domain ecosystem which include subdomains.
Expert from Word to the Wise does not explicitly answer if you need to set up DMARC for subdomains on the given page, but it provides information on DMARC. It states that for DMARC to work correctly, it needs proper SPF and DKIM to be setup first. Suggesting that to fully protect your brand the implementation would be needed on all subdomains.
Expert from Email Geeks details scenarios when implementing DMARC at the subdomain level makes sense: - When a tool only checks DMARC at the exact subdomain level. - When you don't control the entire domain's DNS or policy. - When using a DNS template and customization is not desired.
What the documentation says3Technical articles
Documentation from DMARC.org shares that DMARC policies apply to subdomains. If a subdomain sends email, it should have its own DMARC record. If a subdomain doesn't send email, create a DMARC record with `p=reject` to prevent spoofing.
Documentation from Microsoft advises that if a subdomain sends email, it must have its own DMARC record. If it doesn't, it is still affected by the parent domain's DMARC record. Also to set up a 'reject' record for all subdomains that do not send email.
Documentation from Google explains that you should add a DMARC record for each subdomain. Without a DMARC record, the subdomain inherits the domain's DMARC policy. This might cause unexpected results if you want to handle email for a subdomain differently. Subdomains that send mail directly should have their own DMARC records. Subdomains that don't send email shouldn't inherit the top-level domain’s DMARC record; instead, they should have a DMARC record with a policy of `p=reject` to indicate that no mail should ever originate from the subdomain.