How do I set up DMARC records for subdomains?

Summary

Setting up DMARC for subdomains involves creating TXT records in the DNS settings for each subdomain named `_dmarc.subdomain.example.com`. While subdomains inherit the main domain's DMARC policy by default if no specific policy is defined, you can specify a different policy for each subdomain for tailored email authentication and reporting. It is highly recommended to implement DMARC at the organizational level first. The initial DMARC policy should be set to 'p=none' to monitor traffic with the `rua` tag for receiving reports, and then gradually increase the policy to 'p=quarantine' or 'p=reject' after careful observation and adjustments based on email traffic. Use tools like MXToolbox to verify record configuration. New subdomains should be warmed up with small sending volumes. Ensure a well-formed DMARC record with correct syntax and placement within the DNS zone to avoid misconfigurations, including creation of an A record pointing to the mail server and configuring SPF. Consider using dedicated IP addresses for new subdomains.

Key findings

  • TXT Records: Create separate TXT records for each subdomain in DNS settings, named `_dmarc.subdomain.example.com`.
  • Policy Inheritance: Subdomains inherit the main domain's DMARC policy by default.
  • Organizational DMARC: Implement DMARC at the organizational level first.
  • Monitoring First: Start with a 'p=none' policy for monitoring traffic and reports.
  • Verification Tools: Use tools like MXToolbox to verify record configuration.
  • Warming Up: Warm up new subdomains with small sending volumes.
  • Well-Formed Records: A well-formed record is essential to prevent misconfigurations.

Key considerations

  • Reporting: Include reporting options (`rua` tag) in DMARC records for traffic analysis.
  • Policy Adjustment: Adjust DMARC policies based on monitoring reports.
  • SPF Configuration: Ensure SPF is configured correctly before implementing DMARC.
  • Dedicated IPs: Consider using dedicated IP addresses for new subdomains.
  • A Record: Create A record pointing to the mail server.
  • Phased Deployment: Implement in phases: 'p=none', then 'p=quarantine', then 'p=reject'.
  • Proper DNS Syntax: Pay close attention to DNS syntax and placement.

What email marketers say
8Marketer opinions

Setting up DMARC for subdomains involves creating TXT records in the DNS settings for each subdomain, specifying the desired DMARC policy (e.g., p=none, p=quarantine, p=reject) and reporting options. It's generally recommended to first implement DMARC at the organizational level. Initial setup should start with a 'p=none' policy to monitor traffic and reports, then adjust to stricter policies based on the traffic. Tools like MXToolbox can be used to verify record configuration. Warming up new subdomains with small sending volumes is crucial. Ensure an A record points to the correct mail server, and configure SPF before DMARC. Dedicated IP addresses should also be considered for new subdomains.

Key opinions

  • TXT Records: Create separate TXT records for each subdomain in DNS settings.
  • Policy Setting: Start with a 'p=none' policy for monitoring.
  • Organizational DMARC: Implement DMARC at the organizational level first.
  • Verification Tools: Use tools like MXToolbox to verify record configuration.
  • Subdomain Warmup: Warm up new subdomains with small sending volumes.

Key considerations

  • Reporting: Include reporting options in DMARC records for traffic analysis.
  • Policy Adjustment: Adjust DMARC policies based on monitoring reports.
  • SPF Configuration: Ensure SPF is configured correctly before implementing DMARC.
  • Dedicated IPs: Consider using dedicated IP addresses for new subdomains.
  • A Record: The A record must point to the correct mail server.
Marketer view

Email marketer from Gmass shares that if you're setting up new subdomains, you should strongly consider using dedicated IP addresses and properly warming them up as per the guidance of your email service provider.

January 2023 - Gmass
Marketer view

Email marketer from StackOverflow explains that you must create an A record that points to the correct mail server when setting up a new subdomain. SPF must then be configured and tested, followed by DMARC. The DMARC policy should be set to 'none' for initial testing, then quarantine/reject later.

July 2023 - StackOverflow
Marketer view

Email marketer from Valimail shares that to set up DMARC for subdomains, you need to create TXT records for each subdomain in your DNS settings. These records should specify the desired DMARC policy (e.g., p=none, p=quarantine, p=reject) and reporting options (e.g., rua=mailto:your-email@example.com). It's recommended to start with a 'p=none' policy to monitor traffic before moving to stricter policies.

August 2022 - Valimail
Marketer view

Marketer from Email Geeks explains that for DMARC alone, nothing needs to be done unless a different policy than the organizational one is desired for the subdomain. Some providers may want it on the subdomain level. They also suggest updating the DMARC record to include reporting for better monitoring and enforcement.

April 2024 - Email Geeks
Marketer view

Email marketer from EmailOnAcid shares that it's important to warm up new subdomains used for sending email, especially when implementing DMARC. Start with small sending volumes and gradually increase them while monitoring deliverability to build a positive reputation for the subdomain.

September 2024 - EmailOnAcid
Marketer view

Email marketer from EasyDMARC explains that setting up DMARC for subdomains involves creating separate DMARC records for each subdomain. A recommended approach is to first implement DMARC at the organizational level and then define specific policies for subdomains. Monitoring reports are crucial to adjust policies based on email traffic.

November 2021 - EasyDMARC
Marketer view

Email marketer from MXToolbox shares that after setting up DMARC records for subdomains, use tools like MXToolbox's DMARC record lookup to verify that the records are correctly configured and propagating properly. This ensures that the DMARC policy is being applied as intended.

July 2022 - MXToolbox
Marketer view

Email marketer from Reddit explains that you need to add a TXT record to your DNS zone for each subdomain. The name should be `_dmarc.subdomain.example.com`. The value will be the DMARC record itself. Start with `v=DMARC1; p=none;` and add a `rua` tag to receive reports.

August 2022 - Reddit

What the experts say
2Expert opinions

Setting up DMARC records for subdomains requires careful attention to syntax and placement within the DNS zone to avoid misconfigurations that can harm deliverability. A phased approach to deployment is recommended, starting with monitoring ('p=none'), then testing ('p=quarantine'), and finally enforcing ('p=reject') to carefully observe and adjust email flows.

Key opinions

  • Well-Formed Record: DMARC record must have correct syntax and DNS placement.
  • Phased Deployment: Implement DMARC in phases for careful observation.

Key considerations

  • Misconfiguration Impact: Misconfigurations can negatively impact email deliverability.
  • Policy Progression: Start with 'p=none', then 'p=quarantine', and finally 'p=reject'.
  • Email Flow Observation: Observe email flows and adjust DMARC settings as needed.
Expert view

Expert from Spam Resource (Steve Linford) emphasizes the importance of a well-formed DMARC record for subdomains, including the correct syntax and placement within the DNS zone. He warns that misconfigurations are common and can negatively impact deliverability.

June 2022 - Spam Resource
Expert view

Expert from Word to the Wise (Laura Atkins) recommends a phased approach to DMARC deployment for subdomains, starting with a 'p=none' policy for monitoring, followed by 'p=quarantine' for testing, and finally 'p=reject' for full enforcement. This strategy allows for careful observation of email flows and adjustments as needed.

July 2022 - Word to the Wise

What the documentation says
4Technical articles

Setting up DMARC for subdomains involves creating a TXT record in the DNS settings for each subdomain. Subdomains inherit the main domain's DMARC policy by default if a specific policy isn't defined. You can specify a different policy for each subdomain for tailored email authentication, reporting, and stricter rules. DMARC policy queries first check for an exact subdomain match; otherwise, they query for the organizational domain's policy. Testing the DMARC record is vital to ensure correct implementation and policy enforcement.

Key findings

  • TXT Record Creation: Create a TXT record in the DNS settings for each subdomain.
  • Policy Inheritance: Subdomains inherit the main domain's DMARC policy by default.
  • Custom Policies: Specify different DMARC policies for each subdomain.
  • Policy Query Order: DMARC policy queries check for exact subdomain matches first.

Key considerations

  • Tailored Authentication: Subdomain-specific policies allow tailored email authentication.
  • Reporting: Custom policies enable specific reporting for each subdomain.
  • Testing: Test DMARC record implementation to ensure correct policy enforcement.
  • Stricter Rules: Implement stricter DMARC rules for specific subdomains as needed.
Technical article

Documentation from RFC7489 (the DMARC standard) specifies how subdomains inherit DMARC policies from the organizational domain. It explains that a policy query for a subdomain should first check for an exact match. If no match, it should query for the organizational domain's policy. This allows both subdomain-specific and inherited policies.

May 2024 - RFC Editor
Technical article

Documentation from DMARC.org details that subdomains, by default, inherit the DMARC policy of the organizational domain if a specific subdomain policy isn't defined. To implement a specific policy, create a TXT record under '_dmarc.subdomain.yourdomain.com' with the desired DMARC settings. This allows for tailored email authentication and reporting per subdomain.

June 2024 - DMARC.org
Technical article

Documentation from Google Workspace Admin Help explains that a subdomain can have its own DMARC policy, which can be different from the main domain's policy. If a subdomain doesn't have a DMARC record, it inherits the main domain's policy. You can specify a different policy for each subdomain to enforce stricter rules or monitor traffic separately.

September 2021 - Google Workspace Admin Help
Technical article

Documentation from Microsoft indicates that to set up DMARC for a subdomain, you create a TXT record in the DNS settings for the specific subdomain. The record includes the DMARC version, policy, and reporting URI. It is vital to test the DMARC record to ensure correct implementation and policy enforcement.

November 2021 - Microsoft