Should I add an explicit DMARC record for subdomains?
Summary
What email marketers say11Marketer opinions
Email marketer from Email Geeks explains that DMARC, by design, will cause a percentage of legitimate fully aligned messages to not reach inboxes due to recipient-side configurations so they disable it for email marketing, pointing out the financial risks this could pose.
Email marketer from EmailProviderFAQ explains that adding DMARC records to subdomains is important for brand protection. Explicitly defining these policies can prevent spoofing and phishing attacks, enhancing overall security.
Email marketer from Reddit user u/example shares that adding explicit DMARC records for subdomains is a good practice, especially when those subdomains send email. It provides clarity and avoids reliance on the organizational domain's 'sp' policy.
Email marketer from StackExchange user JaneDoe explains that if subdomains have different email streams or require different policies, explicit DMARC records are essential. Otherwise, relying on the organizational domain's policy might suffice, but it's less transparent.
Email marketer from EmailGeekForum explains that while organizational DMARC policies can cover subdomains, maintaining explicit records for each subdomain simplifies management and avoids unintended implications from changes to the main domain's policy.
Email marketer from MXToolbox answers that if you want to protect subdomains that are used for email, you should definitely add DMARC records for them. Not having explicit records leaves subdomains vulnerable to spoofing.
Email marketer from Email Geeks shares they only do this when DMARC is to be disabled for a particular sub-domain because they use it for email marketing or another DMARC unfriendly type mail stream.
Email marketer from Mailhardener explains you need to add a DMARC record on a subdomain when you want to specify a policy that is different from the main domain. It allows you to have more control over each.
Email marketer from Email Geeks agrees with Steve, and shares that they might have thought the organizational domain’s policy’s got it covered but that’s exactly right on implication and maintainability.
Email marketer from EmailSecurityBlog shares that you should add specific DMARC records on subdomains because doing so protects your brand. This can reduce the risk of phishing attacks, enhances email deliverability, and increases trust with recipients.
Email marketer from Email Deliverability Blog answers that implementing DMARC on subdomains improves deliverability by authenticating email sources, preventing spoofing, and enabling consistent email policies across the organization.
What the experts say4Expert opinions
Expert from Spam Resource (John Levine) explains that DMARC policies on subdomains work the same way as on top-level domains. You should add an explicit DMARC record on subdomains if you want a policy different from the main domain.
Expert from Email Geeks explains that if a subdomain will be used for mail, it's probably good to add an explicit DMARC record for the subdomain, even if it’s the same as it’d get by inheriting the sp= from the organizational domain.
Expert from Email Geeks shares that the result will be much the same, but it’ll be clearer that the subdomain is intended to do email and has an intentional DMARC policy. Relying on sp= sort of implies that the subdomain isn’t doing mail, really. Probably more maintainable too.
Expert from Word to the Wise (Laura Atkins) explains that subdomains will inherit the DMARC settings and policy (including the sp= setting) if you don't declare a DMARC record for the specific subdomain. You only need to publish one if it is different than your primary.
What the documentation says4Technical articles
Documentation from RFC7489 states that the DMARC 'sp' tag in the organizational domain's DMARC record specifies the policy for subdomains. If a subdomain has its own DMARC record, it overrides the 'sp' policy. It will be p=none if an 'sp' tag is not specified.
Documentation from DMARC.org states that subdomains inherit the DMARC policy of the organizational domain via the 'sp' tag, but a subdomain can override this by publishing its own DMARC record. This allows for specific handling of mail streams originating from different subdomains.
Documentation from Google Workspace Admin Help explains that a DMARC policy applies to all subdomains unless a subdomain has its own DMARC record. They advise creating specific DMARC records for subdomains to define explicit policies.
Documentation from Microsoft Learn answers that organizations should implement DMARC for all their sending domains and subdomains. Implementing DMARC will prevent attackers from spoofing your domains and subdomains to send malicious emails.