What is the best DMARC, DKIM, and SPF setup for marketing and transactional emails sent from different subdomains?
Summary
What email marketers say11Marketer opinions
Email marketer from SendGrid explains that one of the keys to improving deliverability is to monitor bounce rates so that you can handle these bounces efficiently. They also recommend reviewing your IP address's reputation and ensuring you're following best practices.
Email marketer from Email Geeks explains that SPF is checked against the return path, and the only way to achieve alignment is to have the return path in the same organizational domain as the 'from' domain.
Email marketer from Reddit notes that SPF records have a lookup limit of 10, and exceeding this limit can cause SPF validation failures. They suggest flattening SPF records or using a subdomain to avoid exceeding the limit.
Email marketer from Email Geeks explains that subdomains inherit the DMARC policy of the main domain unless an explicit DMARC record is published for the subdomains.
Email marketer from StackOverflow suggests using different DKIM selectors for each subdomain. This allows you to easily identify which subdomain the email was sent from and simplifies key rotation.
Email marketer from Mailjet shares that separating marketing and transactional emails on different subdomains helps maintain reputation. They advise setting up specific SPF, DKIM, and DMARC records for each subdomain to ensure proper authentication.
Email marketer from Postmark advises starting with a DMARC policy of 'p=none' to monitor email streams and identify any authentication issues. Once confident, the policy can be gradually increased to 'p=quarantine' or 'p=reject'.
Email marketer from Reddit recommends creating separate subdomains for cold email campaigns. They state that the separation will help prevent damage to the main domain if the cold emails receive low open rates or high bounce rates.
Email marketer from Email on Acid explains that by delegating your subdomains to ESPs you can avoid SPF issues and still have different email addresses that you send your mail from. They state that having everything in one SPF may lead to hitting the maximum DNS lookup limit.
Email marketer from SparkPost explains that to achieve SPF alignment, the domain in the 'Return-Path' (also known as the 'envelope from' address) must match the domain in the 'From' header. This can be achieved by using a subdomain and configuring SPF to authorize sending from that subdomain.
Email marketer from ZeroBounce recommends setting up DMARC to prevent phishing attacks and other forms of email spoofing. They stress the importance of protecting your brand's reputation, and state that you should monitor your DMARC reports to identify any suspicious activity.
What the experts say4Expert opinions
Expert from Word to the Wise emphasizes the importance of monitoring DMARC reports to identify potential issues with email authentication. They recommend analyzing the reports to understand where your emails are originating from and to identify any unauthorized senders.
Expert from Spam Resource explains that using subdomains for different email types (marketing vs. transactional) allows you to isolate reputation. If your marketing emails have deliverability issues, it won't affect your transactional emails.
Expert from Email Geeks explains the need to publish SPF for the exact domain present in your return path.
Expert from Email Geeks shares that if using a custom domain for SPF, you should have a specific record for that domain and remove the ESP include from your main domain. If using the ESP domain for SPF, remove the ESP include from the main domain.
What the documentation says5Technical articles
Documentation from CloudFlare explains that in order to properly set up SPF, DKIM and DMARC for subdomains, you must also properly configure the DNS records to ensure you are authenticating the emails correctly. It recommends thoroughly testing to ensure that the setup is proper.
Documentation from Amazon AWS shares that in order to properly set up DKIM, each email sending source must have its own individual DKIM record set up to avoid any authentication errors. AWS recommends using a 2048 bit key length for all DKIM signatures.
Documentation from DMARC.org explains that subdomains inherit the DMARC policy from the organizational domain unless a specific DMARC record is published for the subdomain. The 'sp' tag can be used to set a specific policy for subdomains.
Documentation from Google Workspace Admin Help explains that when sending mail from multiple domains, ensure your SPF record includes all sending sources for each domain. It recommends using include: statements to reference the SPF records of third-party senders.
Documentation from Microsoft Learn states that SPF records should be created for each domain and subdomain that sends email. This ensures that each sending source is properly authenticated.