How do DMARC records on subdomains override root domain DMARC policies?

Summary

DMARC records on subdomains override root domain DMARC policies because email receivers prioritize the most specific record. If a subdomain has its own DMARC record, it's used for authentication and reporting, overriding the parent domain's policy. This enables tailored email authentication strategies for different parts of a domain. If a subdomain lacks a DMARC record, it might inherit the root domain's policy or default to receiver handling.

Key findings

  • Override: Subdomain DMARC records take precedence over root domain DMARC records when present.
  • Specificity: Receiving servers prioritize the most specific DMARC record.
  • Tailored Policies: Subdomains can have distinct DMARC policies for granular control.
  • Organizational Control: DMARC enables different policies for various parts of an organization's domain.

Key considerations

  • Record Existence: If a subdomain lacks a DMARC record, behavior depends on receiver implementation; it may inherit the root's policy.
  • Policy Tailoring: Ensure DMARC policies are tailored to each subdomain's needs and security requirements.
  • Hierarchical Approach: Understand the hierarchical nature of DMARC evaluation, with subdomain records being checked first.
  • Authentication Strategy: Tailored email authentication strategies can be applied on a per-subdomain basis.

What email marketers say
9Marketer opinions

A DMARC record on a subdomain overrides the DMARC policy set at the root domain level. This is because email receivers prioritize the most specific DMARC record available, and a subdomain record is considered more specific than the root domain record. This allows for tailored email authentication policies for different parts of a domain, enabling more granular control and flexibility.

Key opinions

  • Override: Subdomain DMARC records always take precedence over root domain records.
  • Specificity: Email receivers prioritize the most specific DMARC record, leading them to choose subdomain records when present.
  • Granular Control: Subdomains can have distinct DMARC policies, offering finer control over email authentication strategies.

Key considerations

  • Policy Tailoring: Organizations should tailor DMARC policies on subdomains to meet specific needs and security requirements.
  • Record Existence: If a subdomain lacks a DMARC record, it may inherit the root domain's policy or default to the receiver's handling, depending on the circumstances.
  • Authentication Strategy: Subdomain-specific DMARC records allow for implementing diverse authentication strategies for different parts of the domain.
Marketer view

Email marketer from emailsecurityfaq.com explains that a DMARC policy on a subdomain overrides the root domain’s policy. This allows different policies for different parts of a domain, providing more granular control over email authentication.

August 2024 - emailsecurityfaq.com
Marketer view

Email marketer from quora.com mentions that DMARC policies are inherited by subdomains unless a specific DMARC record is defined for the subdomain. If a subdomain has its own DMARC record, it overrides the parent domain’s policy.

January 2023 - quora.com
Marketer view

Email marketer from reddit.com shares that if you set a DMARC record on the main domain with `sp=reject`, and a subdomain has its own DMARC record without `sp=reject`, the subdomain's policy will be enforced for emails originating from that subdomain. The root domain's `sp=reject` is overridden.

February 2023 - reddit.com
Marketer view

Email marketer from cloudflare.com shares that a DMARC record on the subdomain overrides the settings in the parent domain.

May 2024 - cloudflare.com
Marketer view

Email marketer from stackoverflow.com comments that during a DMARC check, the receiving server looks for the most specific DMARC record. If a subdomain has its own DMARC record, it uses that. Otherwise, it checks the parent domain. Thus, a subdomain DMARC record always overrides the root domain.

March 2025 - stackoverflow.com
Marketer view

Email marketer from mxtoolbox.com shares that if a subdomain has a DMARC record, the mail server will follow that policy. If not, it defaults to the parent domain’s policy. This means subdomains can have stricter or more relaxed DMARC settings than the main domain.

March 2023 - mxtoolbox.com
Marketer view

Email marketer from postmarkapp.com shares that a DMARC record published on a subdomain overrides any inherited policy from a parent domain. This allows for tailored email authentication strategies for different subdomains.

June 2022 - postmarkapp.com
Marketer view

Marketer from Email Geeks explains that the subdomain’s DMARC record will override the root domain one.

August 2024 - Email Geeks
Marketer view

Email marketer from emailgeeksforum.com explains that when a subdomain has its own DMARC record, this record is used in preference to the parent domain's record. This ensures that email authentication is handled specifically for each subdomain.

June 2021 - emailgeeksforum.com

What the experts say
3Expert opinions

DMARC policy application prioritizes the most specific record. If a subdomain has its own DMARC record, it overrides the root domain's policy, allowing for different rules for different parts of the domain. Email receivers check for a DMARC record at the 'From:' domain, and if not found, then they look at the organizational domain. Only two records are considered in this process.

Key opinions

  • Override: Subdomain DMARC records override root domain policies when they exist.
  • Specificity: Email receivers look for the most specific DMARC record, i.e., the subdomain record.
  • Domain Hierarchy: The 'From:' domain is checked first, followed by the organizational domain if no record is found.

Key considerations

  • Subdomain Rules: Implement specific DMARC rules for subdomains to tailor email authentication strategies.
  • Policy Tailoring: Tailor policies for each subdomain to address their specific needs and security concerns.
  • Record Existence: Ensure that subdomains have their own DMARC records if different policies are desired than the root domain.
Expert view

Expert from SpamResource explains that if a subdomain has its own DMARC record, it will override the DMARC policy of the root domain. This is because email receivers will look for the most specific DMARC record applicable to the sending domain, and a subdomain record is more specific than a root domain record.

July 2024 - SpamResource
Expert view

Expert from Email Geeks shares that if the domain in the From: header has a DMARC record that applies. If not, then the sp= (or p= if there’s no sp=) in the DMARC record at the organizational domain applies. You never look at more than two records: the one in the From: domain and the organizational domain, not anything in between.

August 2024 - Email Geeks
Expert view

Expert from Word to the Wise explains that having a DMARC record specifically for a subdomain overrides the root domain's DMARC policy for that subdomain. This enables distinct policies for different parts of the overall domain structure.

March 2023 - Word to the Wise

What the documentation says
6Technical articles

DMARC records on subdomains override the parent domain's DMARC policy for that specific subdomain because the evaluation process follows a hierarchical approach, checking for the most specific record first. If a subdomain has its own DMARC record, it's used for email authentication and reporting, and the root domain's `sp` tag doesn't apply. If a subdomain lacks a DMARC record, it may inherit the root domain's policy.

Key findings

  • Override: A subdomain DMARC record takes precedence over the root domain's policy for that subdomain.
  • Hierarchical Evaluation: DMARC evaluation checks for the most specific record first (subdomain), then moves up to the organizational domain.
  • Subdomain Independence: If a subdomain has a DMARC record, it does not inherit or require a parent domain record.

Key considerations

  • Policy Management: Using subdomain DMARC records is a common way to manage email authentication differently across an organization.
  • Specific Policies: Domain owners can use subdomain DMARC records to subject subdomains to different policies.
  • DMARC Mechanism: DMARC provides a mechanism for specifying policies that apply to subdomains, overriding parent domain policies.
Technical article

Documentation from support.google.com explains that DMARC policies work hierarchically. A subdomain's DMARC record will take precedence over the root domain's record for that subdomain's email traffic. If a subdomain doesn't have a DMARC record, it inherits the root domain's policy.

June 2021 - support.google.com
Technical article

Documentation from rfc-editor.org states that DMARC provides a mechanism for domain owners to indicate that subdomains should be subject to different policies, and a receiving server will use the most specific policy available, effectively overriding parent domain policies.

July 2023 - rfc-editor.org
Technical article

Documentation from authsmtp.com explains that if a subdomain has a DMARC record, then that is the record used to determine how email authentication and reporting happen for that domain. It does not inherit or require a parent domain record.

September 2024 - authsmtp.com
Technical article

Documentation from easydmarc.com clarifies that a DMARC policy applied to a subdomain will take precedence over the root domain’s DMARC policy. This is a common way to manage email authentication differently for various parts of your organization.

November 2024 - easydmarc.com
Technical article

Documentation from valimail.com notes that DMARC evaluation follows a hierarchical approach. The system checks for a DMARC record on the specific domain sending the email first. If found, that record is used. If not, it moves up to the organizational domain as defined by the Public Suffix List (PSL).

October 2022 - valimail.com
Technical article

Documentation from dmarcly.com explains that a DMARC record on a subdomain overrides the parent domain's DMARC policy for that specific subdomain. This means that if a subdomain has its own DMARC record, the root domain's `sp` (subdomain policy) tag will not apply.

February 2022 - dmarcly.com