Should I add an explicit DMARC record for subdomains?

Summary

The general consensus from both experts, email marketers, and documentation is that adding explicit DMARC records for subdomains is a recommended practice, especially if the subdomain sends email. While subdomains inherit the DMARC policy of the organizational domain via the 'sp' tag, creating explicit records provides increased clarity, security by preventing spoofing and phishing, and improved maintainability. This explicit approach also allows for different policies to be applied to specific subdomains if needed. However, some email marketers intentionally disable DMARC for certain subdomains used for marketing due to concerns that strict DMARC policies might impact deliverability and revenue.

Key findings

  • Enhanced Security: Explicit DMARC records on subdomains help prevent spoofing and phishing attacks, enhancing overall brand security.
  • Improved Clarity and Maintainability: Explicit records make it clearer that a subdomain is intentionally sending email and having its DMARC policy explicitly defined improves maintainability.
  • Policy Control: Explicit records allow for more granular control and the ability to apply different policies to various subdomains, especially when different mail streams are present.
  • Inheritance: Subdomains inherit the DMARC policy of the organizational domain (via the 'sp' tag) if no explicit record exists.

Key considerations

  • Email Marketing Impact: DMARC might block legitimate email marketing messages, impacting revenue. Disabling DMARC for marketing-specific subdomains might be considered, but this must be balanced with security risks.
  • Administrative Overhead: Adding explicit records for each subdomain increases administrative overhead compared to relying solely on inheritance from the organizational domain.
  • Policy Variance: If subdomains require different DMARC policies from the organizational domain, explicit records are necessary; otherwise, inheritance may suffice but offer less transparency.
  • Mail Stream Handling: Consider the specific handling requirements for different mail streams originating from each subdomain when determining whether to create explicit DMARC records.

What email marketers say
11Marketer opinions

The consensus is that adding explicit DMARC records for subdomains is generally a good practice, especially if those subdomains send email. Explicit DMARC records provide clarity, enhance security by preventing spoofing and phishing attacks, and improve email deliverability. However, some marketers disable DMARC for subdomains used for email marketing due to concerns that DMARC might cause legitimate emails to be blocked, thus impacting revenue. Ultimately, the decision depends on the organization's specific needs and risk tolerance.

Key opinions

  • Enhanced Security: Explicit DMARC records on subdomains protect against spoofing and phishing attacks, bolstering brand security.
  • Improved Deliverability: Implementing DMARC on subdomains authenticates email sources, leading to better email deliverability and consistent policies.
  • Clarity and Control: Explicit records offer clarity and control over subdomain email policies, avoiding reliance solely on the organizational domain's settings.
  • Simplified Management: Maintaining individual DMARC records simplifies management and mitigates unintended implications from changes to the main domain's policy.

Key considerations

  • Email Marketing Impact: DMARC might inadvertently block legitimate email marketing messages, potentially affecting revenue; some disable DMARC for marketing subdomains.
  • Policy Differences: If subdomains require different email policies, explicit DMARC records are essential; otherwise, the organizational policy might suffice but is less transparent.
  • Risk Tolerance: The decision to implement DMARC on subdomains depends on the organization's risk tolerance and the potential trade-off between security and deliverability.
Marketer view

Email marketer from Email Geeks explains that DMARC, by design, will cause a percentage of legitimate fully aligned messages to not reach inboxes due to recipient-side configurations so they disable it for email marketing, pointing out the financial risks this could pose.

February 2022 - Email Geeks
Marketer view

Email marketer from EmailProviderFAQ explains that adding DMARC records to subdomains is important for brand protection. Explicitly defining these policies can prevent spoofing and phishing attacks, enhancing overall security.

May 2022 - EmailProviderFAQ
Marketer view

Email marketer from Reddit user u/example shares that adding explicit DMARC records for subdomains is a good practice, especially when those subdomains send email. It provides clarity and avoids reliance on the organizational domain's 'sp' policy.

October 2022 - Reddit
Marketer view

Email marketer from StackExchange user JaneDoe explains that if subdomains have different email streams or require different policies, explicit DMARC records are essential. Otherwise, relying on the organizational domain's policy might suffice, but it's less transparent.

October 2021 - StackExchange
Marketer view

Email marketer from EmailGeekForum explains that while organizational DMARC policies can cover subdomains, maintaining explicit records for each subdomain simplifies management and avoids unintended implications from changes to the main domain's policy.

July 2023 - EmailGeekForum
Marketer view

Email marketer from MXToolbox answers that if you want to protect subdomains that are used for email, you should definitely add DMARC records for them. Not having explicit records leaves subdomains vulnerable to spoofing.

December 2023 - MXToolbox
Marketer view

Email marketer from Email Geeks shares they only do this when DMARC is to be disabled for a particular sub-domain because they use it for email marketing or another DMARC unfriendly type mail stream.

June 2023 - Email Geeks
Marketer view

Email marketer from Mailhardener explains you need to add a DMARC record on a subdomain when you want to specify a policy that is different from the main domain. It allows you to have more control over each.

January 2022 - Mailhardener Blog
Marketer view

Email marketer from Email Geeks agrees with Steve, and shares that they might have thought the organizational domain’s policy’s got it covered but that’s exactly right on implication and maintainability.

July 2023 - Email Geeks
Marketer view

Email marketer from EmailSecurityBlog shares that you should add specific DMARC records on subdomains because doing so protects your brand. This can reduce the risk of phishing attacks, enhances email deliverability, and increases trust with recipients.

May 2024 - EmailSecurityBlog
Marketer view

Email marketer from Email Deliverability Blog answers that implementing DMARC on subdomains improves deliverability by authenticating email sources, preventing spoofing, and enabling consistent email policies across the organization.

July 2021 - Email Deliverability Blog

What the experts say
4Expert opinions

Experts generally recommend adding explicit DMARC records for subdomains that send mail, even if the policy is the same as the organizational domain. This makes the intent clearer and improves maintainability. Subdomains inherit the organizational DMARC policy (specifically the `sp=` setting) if no explicit record exists, so creating a subdomain record is primarily necessary when a subdomain requires a policy different from the primary domain.

Key opinions

  • Clarity of Intent: Explicit DMARC records clarify that a subdomain is intentionally sending email and has a defined DMARC policy, as opposed to implicitly relying on the organizational domain's `sp=` policy.
  • Maintainability: Explicit records improve maintainability, making it easier to manage DMARC policies for individual subdomains.
  • Inheritance: Subdomains inherit the organizational DMARC policy if no explicit record exists.

Key considerations

  • Policy Differences: Explicit records are necessary only when a subdomain requires a DMARC policy that differs from the organizational domain.
  • Administrative Overhead: While beneficial, adding explicit records increases administrative overhead compared to relying on inheritance.
Expert view

Expert from Spam Resource (John Levine) explains that DMARC policies on subdomains work the same way as on top-level domains. You should add an explicit DMARC record on subdomains if you want a policy different from the main domain.

April 2024 - Spam Resource
Expert view

Expert from Email Geeks explains that if a subdomain will be used for mail, it's probably good to add an explicit DMARC record for the subdomain, even if it’s the same as it’d get by inheriting the sp= from the organizational domain.

December 2023 - Email Geeks
Expert view

Expert from Email Geeks shares that the result will be much the same, but it’ll be clearer that the subdomain is intended to do email and has an intentional DMARC policy. Relying on sp= sort of implies that the subdomain isn’t doing mail, really. Probably more maintainable too.

May 2023 - Email Geeks
Expert view

Expert from Word to the Wise (Laura Atkins) explains that subdomains will inherit the DMARC settings and policy (including the sp= setting) if you don't declare a DMARC record for the specific subdomain. You only need to publish one if it is different than your primary.

December 2024 - Word to the Wise

What the documentation says
4Technical articles

Technical documentation from Google, Microsoft, DMARC.org, and RFC7489 indicate that while DMARC policies apply to all subdomains by default, it is best practice to implement explicit DMARC records for each subdomain. Subdomains inherit the DMARC policy of the organizational domain via the 'sp' tag. Publishing a DMARC record on the subdomain overrides this inherited policy and allows for specific handling of mail streams. Implementing DMARC across all subdomains helps prevent spoofing and malicious emails.

Key findings

  • Inheritance: Subdomains inherit the DMARC policy of the organizational domain through the 'sp' tag if they lack their own DMARC record.
  • Overriding Policies: A subdomain can override the inherited DMARC policy by publishing its own DMARC record.
  • Spoofing Prevention: Implementing DMARC across all domains and subdomains helps prevent attackers from spoofing your domains to send malicious emails.
  • Explicit Definition: Creating specific DMARC records for subdomains allows for explicitly defining email policies for each subdomain.

Key considerations

  • Mail Stream Handling: Consider specific handling requirements for mail streams originating from different subdomains when deciding whether to override inherited policies.
  • Default Policy: If a subdomain lacks a DMARC record and no 'sp' tag is specified in the organizational record, the effective policy defaults to p=none.
Technical article

Documentation from RFC7489 states that the DMARC 'sp' tag in the organizational domain's DMARC record specifies the policy for subdomains. If a subdomain has its own DMARC record, it overrides the 'sp' policy. It will be p=none if an 'sp' tag is not specified.

January 2022 - RFC Editor
Technical article

Documentation from DMARC.org states that subdomains inherit the DMARC policy of the organizational domain via the 'sp' tag, but a subdomain can override this by publishing its own DMARC record. This allows for specific handling of mail streams originating from different subdomains.

September 2024 - DMARC.org
Technical article

Documentation from Google Workspace Admin Help explains that a DMARC policy applies to all subdomains unless a subdomain has its own DMARC record. They advise creating specific DMARC records for subdomains to define explicit policies.

April 2024 - Google Workspace Admin Help
Technical article

Documentation from Microsoft Learn answers that organizations should implement DMARC for all their sending domains and subdomains. Implementing DMARC will prevent attackers from spoofing your domains and subdomains to send malicious emails.

April 2024 - Microsoft Learn