How do DMARC policies and RUA/RUF settings inherit or override each other between a domain and its subdomains?
Summary
What email marketers say4Marketer opinions
Email marketer from EmailSecurity Blog details how a DMARC record on a subdomain takes precedence over the domain's policy. If the subdomain lacks its own record, the domain's DMARC policy is applied. The same inheritance and override apply for RUA and RUF settings.
Email marketer from MXToolbox explains that if a subdomain has a specific DMARC record set, it will use that. Otherwise, it inherits from the main domain. The rua and ruf addresses would also follow this setup; a specified rua on a subdomain DMARC would only provide reports for that subdomain.
Email marketer from StackExchange explains that explicit subdomain DMARC policies override the parent domain policy, while missing policies result in inheritance from the parent domain. Subdomain rua/ruf settings similarly follow this pattern.
Email marketer from Reddit shares that a subdomain can have its own DMARC record to define its own policy. If no record exists, it inherits from the primary domain. They also point out that rua/ruf settings function the same way.
What the experts say4Expert opinions
Expert from Word to the Wise answers that if a subdomain has a DMARC record that record will be used. If a subdomain does not have its own DMARC record it will inherit the DMARC record from the domain. The RUA and RUF reports will be sent according to the record being used for the subdomain. A record on the subdomain will mean the reports will only be for that subdomain.
Expert from Email Geeks explains that a DMARC policy appearing on a subdomain will override the organizational domain policy.
Expert from Email Geeks explains that you can set a different DMARC policy for a domain and its subdomains.
Expert from Email Geeks clarifies that while each DMARC record acts independently, subdomains without records will inherit the record from the parent domain.
What the documentation says4Technical articles
Documentation from Google Workspace Admin Help explains that a DMARC policy for a subdomain can override the policy of the parent domain. If a subdomain does not have its own DMARC record, it inherits the DMARC policy of the parent domain.
Documentation from RFC7489 describes the interaction between organizational domains and subdomains within the context of DMARC. Specifically, it outlines how policy discovery and inheritance work. If a subdomain has a DMARC record it will be used otherwise the policy of the top level organizational domain will be inherited.
Documentation from DMARC.org shares that subdomains inherit the DMARC policy from the organizational domain if they do not have their own DMARC record. This inheritance ensures that subdomains are also protected by DMARC.
Documentation from Microsoft Learn explains that if a subdomain has its own DMARC record, it overrides the parent domain's DMARC policy. Otherwise, the subdomain inherits the DMARC policy from the parent domain.