How does DMARC policy application work with subdomains and CNAME records?
Summary
What email marketers say10Marketer opinions
Email marketer from Email Geeks explains that MXToolbox interprets a DMARC record redirecting via CNAME to a subdomain of an organizational domain without an 'sp=' tag as treating the DMARC policy as p=none, based on the organizational domain's policy.
Email marketer from Easydmarc explains that implementing a CNAME in DMARC is useful when one has multiple domains and wants to apply the same policy to all of them. A single DMARC record can be created and CNAME records created for the rest of the domains to this single DMARC record. You should ensure that the CNAME is set for the dmarc record.
Email marketer from Email Geeks references MXToolbox documentation indicating DMARC records can be set via CNAME, offering a method to manage DMARC records across multiple domains.
Email marketer from Reddit shares that if a subdomain doesn't have its own DMARC record, the parent domain's policy applies. Setting an 'sp=' tag in the parent domain explicitly defines the subdomain policy.
Email marketer from SparkPost shares that DMARC policies are inherited by subdomains by default, unless a subdomain policy (sp=) is specified. If a subdomain sends email, a specific DMARC record is recommended.
Email marketer from Valimail recommends caution when using CNAME records with DMARC, noting that improper configuration can disrupt DMARC validation. Suggests explicitly setting up a DMARC record for each subdomain.
Email marketer from Email Geeks explains that as per DMARC documentation, the DMARC policy is applied to all subdomains by default, unless explicitly stated otherwise or a separate subdomain policy exists.
Email marketer from WordToTheWise advises against using wildcard CNAMEs with DMARC. Instead of using wildcards, create the DMARC record for each subdomain directly.
Email marketer from Mailhardener warns that using CNAME records for DMARC can lead to unexpected behavior. It's better to use a TXT record directly.
Email marketer from Email Geeks explains that when a CNAME redirects to a subdomain without a DMARC record, the check occurs at the organizational domain level. If that organizational domain has a p=none policy, the sending subdomain is effectively treated as having a p=none policy.
What the experts say4Expert opinions
Expert from Email Geeks states DMARC doesn't directly interact with CNAMEs; it only looks up TXT records in DNS. The DNS returns the record as a text record.
Expert from Email Geeks suggests that wildcard CNAMEs are generally not a good practice and it's better to fix them instead of trying to diagnose issues caused by them.
Expert from Email Geeks shares that they use wildcard for their _report records for DMARC across all their domains and it works effectively.
Expert from Word to the Wise explains that each subdomain can have its own DMARC policy. If a subdomain does not have a DMARC policy, the parent domain's DMARC policy will apply. They advise setting up specific DMARC records for each individual subdomain.
What the documentation says5Technical articles
Documentation from dmarc.org explains that a DMARC policy applies to all subdomains unless a specific subdomain policy (sp=) is defined. If a subdomain policy is absent, the domain's DMARC policy is inherited.
Documentation from RFC7489 details the DMARC record lookup process, stating that the DNS is queried for a TXT record named '_dmarc.[domain]'. CNAME records can interfere with this process if not handled correctly.
Documentation from Google Workspace Admin Help explains that a DMARC record is a TXT record in DNS. It should include the version (v=DMARC1) and policy (p=none, quarantine, reject). Subdomain policies are set with the 'sp=' tag.
Documentation from Microsoft shows that the syntax for a DMARC record is _dmarc.domain.com TXT v=DMARC1; p=reject; sp=none; rua=mailto:authaggregate@contoso.com; ruf=mailto:authfailure@contoso.com; rf=afrf100; pct=100; ri=86400
Documentation from Cloudflare answers that to implement DMARC, you need access to your domain's DNS records to publish a DMARC policy. This policy indicates how a mail receiver should handle messages from your domain that fail authentication tests. The basic components of the DMARC policy are version, policy, subdomain policy, aggregate reports, and failure reports.