How do DMARC records on subdomains override root domain DMARC policies?
Summary
What email marketers say9Marketer opinions
Email marketer from emailsecurityfaq.com explains that a DMARC policy on a subdomain overrides the root domain’s policy. This allows different policies for different parts of a domain, providing more granular control over email authentication.
Email marketer from quora.com mentions that DMARC policies are inherited by subdomains unless a specific DMARC record is defined for the subdomain. If a subdomain has its own DMARC record, it overrides the parent domain’s policy.
Email marketer from reddit.com shares that if you set a DMARC record on the main domain with `sp=reject`, and a subdomain has its own DMARC record without `sp=reject`, the subdomain's policy will be enforced for emails originating from that subdomain. The root domain's `sp=reject` is overridden.
Email marketer from cloudflare.com shares that a DMARC record on the subdomain overrides the settings in the parent domain.
Email marketer from stackoverflow.com comments that during a DMARC check, the receiving server looks for the most specific DMARC record. If a subdomain has its own DMARC record, it uses that. Otherwise, it checks the parent domain. Thus, a subdomain DMARC record always overrides the root domain.
Email marketer from mxtoolbox.com shares that if a subdomain has a DMARC record, the mail server will follow that policy. If not, it defaults to the parent domain’s policy. This means subdomains can have stricter or more relaxed DMARC settings than the main domain.
Email marketer from postmarkapp.com shares that a DMARC record published on a subdomain overrides any inherited policy from a parent domain. This allows for tailored email authentication strategies for different subdomains.
Marketer from Email Geeks explains that the subdomain’s DMARC record will override the root domain one.
Email marketer from emailgeeksforum.com explains that when a subdomain has its own DMARC record, this record is used in preference to the parent domain's record. This ensures that email authentication is handled specifically for each subdomain.
What the experts say3Expert opinions
Expert from SpamResource explains that if a subdomain has its own DMARC record, it will override the DMARC policy of the root domain. This is because email receivers will look for the most specific DMARC record applicable to the sending domain, and a subdomain record is more specific than a root domain record.
Expert from Email Geeks shares that if the domain in the From: header has a DMARC record that applies. If not, then the sp= (or p= if there’s no sp=) in the DMARC record at the organizational domain applies. You never look at more than two records: the one in the From: domain and the organizational domain, not anything in between.
Expert from Word to the Wise explains that having a DMARC record specifically for a subdomain overrides the root domain's DMARC policy for that subdomain. This enables distinct policies for different parts of the overall domain structure.
What the documentation says6Technical articles
Documentation from support.google.com explains that DMARC policies work hierarchically. A subdomain's DMARC record will take precedence over the root domain's record for that subdomain's email traffic. If a subdomain doesn't have a DMARC record, it inherits the root domain's policy.
Documentation from rfc-editor.org states that DMARC provides a mechanism for domain owners to indicate that subdomains should be subject to different policies, and a receiving server will use the most specific policy available, effectively overriding parent domain policies.
Documentation from authsmtp.com explains that if a subdomain has a DMARC record, then that is the record used to determine how email authentication and reporting happen for that domain. It does not inherit or require a parent domain record.
Documentation from easydmarc.com clarifies that a DMARC policy applied to a subdomain will take precedence over the root domain’s DMARC policy. This is a common way to manage email authentication differently for various parts of your organization.
Documentation from valimail.com notes that DMARC evaluation follows a hierarchical approach. The system checks for a DMARC record on the specific domain sending the email first. If found, that record is used. If not, it moves up to the organizational domain as defined by the Public Suffix List (PSL).
Documentation from dmarcly.com explains that a DMARC record on a subdomain overrides the parent domain's DMARC policy for that specific subdomain. This means that if a subdomain has its own DMARC record, the root domain's `sp` (subdomain policy) tag will not apply.