How does DMARC policy application work with subdomains and CNAME records?

Summary

DMARC policy application to subdomains defaults to inheriting the parent domain's policy, unless a specific subdomain policy (sp=) is defined. DMARC records are TXT records queried via DNS; CNAME records can interfere if improperly configured but can be helpful for applying the same policy across multiple domains. Wildcard CNAMEs are generally discouraged. Tools like MXToolbox interpret DMARC records considering organizational domain policies. The configuration involves defining version, policy, subdomain policy, and reporting. Setting explicit DMARC records for each subdomain and validating the records are highly recommended.

Key findings

  • Default Inheritance: Subdomains inherit the DMARC policy of the parent domain unless specifically overridden.
  • TXT Record Preference: DMARC relies on TXT records; CNAME usage requires careful consideration.
  • CNAME Interference Risk: Improper CNAME configurations can disrupt DMARC validation.
  • Wildcard CNAMEs Bad: Wildcard CNAMEs are generally discouraged due to potential issues.
  • MXToolbox Interpretation: MXToolbox considers organizational domain policies with CNAMEs.
  • Explicit Subdomain Records: Setting specific DMARC records for each subdomain is recommended.

Key considerations

  • Subdomain Policy Choice: Decide whether to inherit policies or define specific ones for each subdomain.
  • CNAME Configuration Accuracy: Carefully configure CNAME records and ensure they are properly resolving.
  • TXT as Best Practice: Default to using TXT records for DMARC whenever possible.
  • Wildcard Avoidance: Avoid wildcard CNAMEs in DMARC configurations.
  • Validation Importance: Thoroughly validate all DMARC records using available tools.
  • Domain and DNS Access: Must have access to DNS records to publish DMARC Policy.

What email marketers say
10Marketer opinions

DMARC policy application to subdomains defaults to inheriting the parent domain's policy unless a specific subdomain policy (sp=) is defined. CNAME records can be used, but with caution, as improper configurations can lead to unexpected behavior or DMARC validation failures. Using TXT records directly is generally recommended. MXToolbox interprets DMARC records with CNAMEs based on organizational domain policies when 'sp=' is absent. While CNAMEs can help manage policies across multiple domains, wildcard CNAMEs are discouraged.

Key opinions

  • Default Inheritance: Subdomains inherit the DMARC policy of the parent domain unless a specific subdomain policy is defined.
  • CNAME Caution: Using CNAME records for DMARC can be problematic and may lead to validation issues.
  • TXT Recommendation: Creating DMARC records using TXT records directly is generally the safest approach.
  • MXToolbox Interpretation: MXToolbox considers organizational domain policies when CNAME redirects to subdomains lacking an 'sp=' tag.
  • CNAME for Multi-Domains: CNAME can be useful when one has multiple domains and wants to apply the same policy to all of them.

Key considerations

  • Subdomain Policies: Explicitly define subdomain policies (using 'sp=' tag) to avoid unintended policy inheritance.
  • CNAME Configuration: Carefully configure CNAME records for DMARC to prevent disruptions in DMARC validation.
  • TXT Simplicity: Consider using TXT records for DMARC to simplify configuration and reduce potential issues.
  • Wildcard Avoidance: Avoid using wildcard CNAMEs with DMARC, as they can lead to unpredictable behavior.
  • Validation Testing: Thoroughly test DMARC configurations, especially those involving CNAME records, to ensure proper validation.
Marketer view

Email marketer from Email Geeks explains that MXToolbox interprets a DMARC record redirecting via CNAME to a subdomain of an organizational domain without an 'sp=' tag as treating the DMARC policy as p=none, based on the organizational domain's policy.

November 2024 - Email Geeks
Marketer view

Email marketer from Easydmarc explains that implementing a CNAME in DMARC is useful when one has multiple domains and wants to apply the same policy to all of them. A single DMARC record can be created and CNAME records created for the rest of the domains to this single DMARC record. You should ensure that the CNAME is set for the dmarc record.

November 2023 - Easydmarc
Marketer view

Email marketer from Email Geeks references MXToolbox documentation indicating DMARC records can be set via CNAME, offering a method to manage DMARC records across multiple domains.

December 2021 - Email Geeks
Marketer view

Email marketer from Reddit shares that if a subdomain doesn't have its own DMARC record, the parent domain's policy applies. Setting an 'sp=' tag in the parent domain explicitly defines the subdomain policy.

August 2024 - Reddit
Marketer view

Email marketer from SparkPost shares that DMARC policies are inherited by subdomains by default, unless a subdomain policy (sp=) is specified. If a subdomain sends email, a specific DMARC record is recommended.

August 2022 - SparkPost
Marketer view

Email marketer from Valimail recommends caution when using CNAME records with DMARC, noting that improper configuration can disrupt DMARC validation. Suggests explicitly setting up a DMARC record for each subdomain.

May 2023 - Valimail
Marketer view

Email marketer from Email Geeks explains that as per DMARC documentation, the DMARC policy is applied to all subdomains by default, unless explicitly stated otherwise or a separate subdomain policy exists.

November 2023 - Email Geeks
Marketer view

Email marketer from WordToTheWise advises against using wildcard CNAMEs with DMARC. Instead of using wildcards, create the DMARC record for each subdomain directly.

April 2024 - WordToTheWise
Marketer view

Email marketer from Mailhardener warns that using CNAME records for DMARC can lead to unexpected behavior. It's better to use a TXT record directly.

September 2023 - Mailhardener
Marketer view

Email marketer from Email Geeks explains that when a CNAME redirects to a subdomain without a DMARC record, the check occurs at the organizational domain level. If that organizational domain has a p=none policy, the sending subdomain is effectively treated as having a p=none policy.

August 2023 - Email Geeks

What the experts say
4Expert opinions

DMARC policy and CNAME interaction is complex. Wildcard CNAMEs are generally discouraged, while using wildcard records for DMARC reporting may work. DMARC directly queries DNS for TXT records, not CNAMEs. Subdomains can have independent DMARC policies, but if absent, the parent domain's policy applies. Explicit DMARC records for each subdomain are recommended.

Key opinions

  • Wildcard CNAMEs Discouraged: Wildcard CNAMEs are generally not a good practice.
  • DMARC and TXT Records: DMARC looks up TXT records directly, not CNAMEs.
  • Wildcard Reporting: Wildcard usage for _report records in DMARC may work effectively.
  • Subdomain Independence: Subdomains can have individual DMARC policies.
  • Policy Inheritance: If a subdomain lacks a DMARC policy, the parent domain's policy is inherited.

Key considerations

  • Avoid Wildcard CNAMEs: Steer clear of using wildcard CNAMEs due to potential complications.
  • Direct TXT Records: Ensure DMARC relies on properly configured TXT records in DNS.
  • Reporting Configuration: Configure appropriate wildcard or explicit records for DMARC reporting.
  • Subdomain Specificity: Determine if subdomains require their own DMARC policies, or if inheritance is sufficient.
  • Explicit Subdomain Records: Consider creating explicit DMARC records for each subdomain to ensure clarity.
Expert view

Expert from Email Geeks states DMARC doesn't directly interact with CNAMEs; it only looks up TXT records in DNS. The DNS returns the record as a text record.

March 2022 - Email Geeks
Expert view

Expert from Email Geeks suggests that wildcard CNAMEs are generally not a good practice and it's better to fix them instead of trying to diagnose issues caused by them.

January 2022 - Email Geeks
Expert view

Expert from Email Geeks shares that they use wildcard for their _report records for DMARC across all their domains and it works effectively.

October 2023 - Email Geeks
Expert view

Expert from Word to the Wise explains that each subdomain can have its own DMARC policy. If a subdomain does not have a DMARC policy, the parent domain's DMARC policy will apply. They advise setting up specific DMARC records for each individual subdomain.

October 2024 - Word to the Wise

What the documentation says
5Technical articles

DMARC policies apply to all subdomains by default unless a specific subdomain policy (sp=) is defined. DMARC records are TXT records in DNS and include version, policy, and optional subdomain policies. The DNS is queried for '_dmarc.[domain]' TXT records. CNAME records can interfere if not configured correctly. Implementing DMARC requires access to DNS records to publish the policy.

Key findings

  • Default Subdomain Policy: DMARC applies to all subdomains unless overridden.
  • TXT Record Structure: DMARC records are TXT records with specific tags (v=, p=, sp=).
  • DNS Query: DNS is queried for '_dmarc.[domain]' TXT records.
  • CNAME Interference: CNAME records can disrupt DMARC if improperly configured.
  • DNS Access Required: Implementing DMARC needs access to the DNS zone file

Key considerations

  • Subdomain Specificity: Decide whether to use the default policy or create specific subdomain policies.
  • Correct Syntax: Use the correct DMARC record syntax, including version and policy tags.
  • CNAME Alternatives: Carefully consider the implications of using CNAME records and explore alternatives.
  • DNS Access: Ensure appropriate access to DNS records.
  • Record Validation: Validate DMARC record syntax and propagation using online tools.
Technical article

Documentation from dmarc.org explains that a DMARC policy applies to all subdomains unless a specific subdomain policy (sp=) is defined. If a subdomain policy is absent, the domain's DMARC policy is inherited.

January 2023 - dmarc.org
Technical article

Documentation from RFC7489 details the DMARC record lookup process, stating that the DNS is queried for a TXT record named '_dmarc.[domain]'. CNAME records can interfere with this process if not handled correctly.

March 2021 - RFC Editor
Technical article

Documentation from Google Workspace Admin Help explains that a DMARC record is a TXT record in DNS. It should include the version (v=DMARC1) and policy (p=none, quarantine, reject). Subdomain policies are set with the 'sp=' tag.

August 2021 - Google Workspace Admin Help
Technical article

Documentation from Microsoft shows that the syntax for a DMARC record is _dmarc.domain.com TXT v=DMARC1; p=reject; sp=none; rua=mailto:authaggregate@contoso.com; ruf=mailto:authfailure@contoso.com; rf=afrf100; pct=100; ri=86400

April 2021 - Microsoft
Technical article

Documentation from Cloudflare answers that to implement DMARC, you need access to your domain's DNS records to publish a DMARC policy. This policy indicates how a mail receiver should handle messages from your domain that fail authentication tests. The basic components of the DMARC policy are version, policy, subdomain policy, aggregate reports, and failure reports.

December 2024 - Cloudflare