What is the best DMARC, DKIM, and SPF setup for marketing and transactional emails sent from different subdomains?

Summary

The optimal DMARC, DKIM, and SPF setup for marketing and transactional emails sent from different subdomains involves several key steps. Ensure SPF alignment by having the return path domain match the 'From' domain. Publish SPF records for the exact domain in the return path, considering custom vs. ESP domains and properly managing ESP 'include' statements. Create SPF records for each domain and subdomain. Subdomains inherit the DMARC policy of the main domain unless a specific DMARC record is published. Employ different DKIM selectors for each subdomain for easier identification and key rotation. Separate email types (marketing, transactional, cold emails) on different subdomains to isolate sender reputation. Initiate DMARC with a 'p=none' policy for monitoring, and gradually increase enforcement. Be mindful of SPF record lookup limits. Delegate subdomains to ESPs to mitigate SPF issues. Monitor DMARC reports, bounce rates, and IP reputation. Configure DNS records accurately and thoroughly test the setup.

Key findings

  • SPF Alignment is Crucial: SPF alignment, where the 'Return-Path' and 'From' domains match, is vital for deliverability.
  • SPF Records for Each Domain: SPF records should be created and carefully managed for each domain and subdomain used for sending emails.
  • DMARC Policy Inheritance: Subdomains inherit DMARC policies from the main domain unless explicitly overridden with a specific DMARC record.
  • Subdomain Reputation Isolation: Separating email types on different subdomains helps isolate reputation, preventing issues in one area from affecting others.
  • Phased DMARC Implementation: Implementing DMARC should start with a monitoring phase ('p=none') before stricter policies are enforced.
  • SPF Lookup Limit: Be aware of SPF record lookup limits to avoid authentication failures.
  • DKIM Selectors: Using distinct DKIM selectors for each subdomain simplifies key rotation and identification.
  • DMARC Monitoring: Continuous monitoring of DMARC reports is essential for identifying authentication issues and potential abuse.

Key considerations

  • SPF Record Accuracy: Regularly review and update SPF records to ensure they accurately reflect all authorized sending sources and third-party senders.
  • Subdomain Strategy: Carefully plan your subdomain structure to effectively isolate reputation and manage different email streams.
  • DMARC Report Analysis: Analyze DMARC reports regularly to identify potential authentication problems and security threats.
  • DNS Configuration: Ensure proper DNS configuration and testing for SPF, DKIM, and DMARC to guarantee correct authentication.
  • Bounce Rate and IP Reputation: Monitor bounce rates and IP reputation to proactively address deliverability issues.

What email marketers say
11Marketer opinions

When sending marketing and transactional emails from different subdomains, it is important to configure SPF, DKIM, and DMARC properly to maintain email deliverability and protect your domain reputation. SPF alignment is achieved when the 'Return-Path' domain matches the 'From' domain. Subdomains inherit the DMARC policy of the main domain unless a specific DMARC record is published. Using separate subdomains for different email types helps isolate reputation. Start with a DMARC policy of 'p=none' and gradually increase it. Be aware of SPF record lookup limits. Use different DKIM selectors for each subdomain. Delegating subdomains to ESPs can avoid SPF issues. Monitor bounce rates and IP reputation. DMARC helps prevent phishing and spoofing and should be monitored. Separate subdomains for cold email campaigns to avoid impacting main domain reputation.

Key opinions

  • SPF Alignment: Ensure SPF alignment by matching the 'Return-Path' and 'From' domains, often achieved through subdomain configuration.
  • DMARC Inheritance: Subdomains inherit the main domain's DMARC policy unless explicitly overridden.
  • Reputation Isolation: Separate subdomains for marketing and transactional emails isolate reputation, preventing deliverability issues in one from affecting the other.
  • Phased DMARC Implementation: Start with a 'p=none' DMARC policy to monitor email streams before enforcing stricter policies.
  • SPF Limit: Be mindful of SPF record lookup limits to avoid validation failures; consider flattening SPF records or using subdomains.
  • DKIM Selectors: Use distinct DKIM selectors for each subdomain to facilitate identification and key rotation.
  • Subdomain Delegation: Delegating subdomains to ESPs can help mitigate SPF-related challenges.
  • Cold Email Separation: Separate cold email campaigns with subdomains to protect your brand.

Key considerations

  • DMARC Monitoring: Actively monitor DMARC reports to identify authentication issues and potential spoofing attempts.
  • Bounce Rate: Keep an eye on your bounce rates to ensure deliverability and reputation are up to standard.
  • Reputation: Check your IP address reputation periodically and follow any best practices.
Marketer view

Email marketer from SendGrid explains that one of the keys to improving deliverability is to monitor bounce rates so that you can handle these bounces efficiently. They also recommend reviewing your IP address's reputation and ensuring you're following best practices.

October 2022 - SendGrid
Marketer view

Email marketer from Email Geeks explains that SPF is checked against the return path, and the only way to achieve alignment is to have the return path in the same organizational domain as the 'from' domain.

January 2023 - Email Geeks
Marketer view

Email marketer from Reddit notes that SPF records have a lookup limit of 10, and exceeding this limit can cause SPF validation failures. They suggest flattening SPF records or using a subdomain to avoid exceeding the limit.

August 2024 - Reddit
Marketer view

Email marketer from Email Geeks explains that subdomains inherit the DMARC policy of the main domain unless an explicit DMARC record is published for the subdomains.

March 2024 - Email Geeks
Marketer view

Email marketer from StackOverflow suggests using different DKIM selectors for each subdomain. This allows you to easily identify which subdomain the email was sent from and simplifies key rotation.

June 2024 - StackOverflow
Marketer view

Email marketer from Mailjet shares that separating marketing and transactional emails on different subdomains helps maintain reputation. They advise setting up specific SPF, DKIM, and DMARC records for each subdomain to ensure proper authentication.

May 2022 - Mailjet
Marketer view

Email marketer from Postmark advises starting with a DMARC policy of 'p=none' to monitor email streams and identify any authentication issues. Once confident, the policy can be gradually increased to 'p=quarantine' or 'p=reject'.

August 2023 - Postmark
Marketer view

Email marketer from Reddit recommends creating separate subdomains for cold email campaigns. They state that the separation will help prevent damage to the main domain if the cold emails receive low open rates or high bounce rates.

January 2024 - Reddit
Marketer view

Email marketer from Email on Acid explains that by delegating your subdomains to ESPs you can avoid SPF issues and still have different email addresses that you send your mail from. They state that having everything in one SPF may lead to hitting the maximum DNS lookup limit.

August 2021 - Email on Acid
Marketer view

Email marketer from SparkPost explains that to achieve SPF alignment, the domain in the 'Return-Path' (also known as the 'envelope from' address) must match the domain in the 'From' header. This can be achieved by using a subdomain and configuring SPF to authorize sending from that subdomain.

March 2021 - SparkPost
Marketer view

Email marketer from ZeroBounce recommends setting up DMARC to prevent phishing attacks and other forms of email spoofing. They stress the importance of protecting your brand's reputation, and state that you should monitor your DMARC reports to identify any suspicious activity.

May 2024 - ZeroBounce

What the experts say
4Expert opinions

When configuring DMARC, DKIM, and SPF for marketing and transactional emails sent from different subdomains, ensure that SPF records are published for the exact domain present in the return path. If using a custom domain for SPF, a specific record should be created for that domain, and the ESP include should be removed from the main domain. If using the ESP domain for SPF, the ESP include should also be removed from the main domain. Utilizing subdomains to separate email types isolates reputation, preventing marketing deliverability issues from affecting transactional emails. Regularly monitoring DMARC reports is crucial to identify authentication problems and unauthorized senders.

Key opinions

  • SPF Records for Return Path: Publish SPF records for the precise domain used in the return path of your emails.
  • Custom vs. ESP SPF Domains: When using a custom SPF domain, remove the ESP include from the main domain's SPF record. The same applies if using the ESP domain for SPF.
  • Reputation Isolation via Subdomains: Employing subdomains for different email types (marketing, transactional) isolates sender reputation.
  • DMARC Report Monitoring: Continuously monitor DMARC reports to detect authentication issues and unauthorized sending activity.

Key considerations

  • Return Path SPF: Verify that the SPF record accurately reflects the domain used in your email's return path.
  • ESP Include Management: Ensure that ESP 'include' statements in your main domain's SPF record are correctly managed, especially when using custom SPF domains.
  • Subdomain Strategy: Plan your subdomain strategy carefully to maximize reputation isolation and minimize deliverability risks.
  • DMARC Report Analysis: Regularly analyze DMARC reports to identify and address any authentication discrepancies or security threats.
Expert view

Expert from Word to the Wise emphasizes the importance of monitoring DMARC reports to identify potential issues with email authentication. They recommend analyzing the reports to understand where your emails are originating from and to identify any unauthorized senders.

November 2021 - Word to the Wise
Expert view

Expert from Spam Resource explains that using subdomains for different email types (marketing vs. transactional) allows you to isolate reputation. If your marketing emails have deliverability issues, it won't affect your transactional emails.

October 2022 - Spam Resource
Expert view

Expert from Email Geeks explains the need to publish SPF for the exact domain present in your return path.

November 2024 - Email Geeks
Expert view

Expert from Email Geeks shares that if using a custom domain for SPF, you should have a specific record for that domain and remove the ESP include from your main domain. If using the ESP domain for SPF, remove the ESP include from the main domain.

January 2025 - Email Geeks

What the documentation says
5Technical articles

For sending marketing and transactional emails from different subdomains, ensure that your SPF record includes all sending sources for each domain, and use `include:` statements for third-party senders. SPF records should be created for each domain and subdomain. Subdomains inherit the DMARC policy from the organizational domain unless a specific DMARC record is published, with the `sp` tag used for subdomain-specific policies. Each email sending source requires its own DKIM record, ideally using a 2048-bit key length. Proper DNS record configuration is essential for SPF, DKIM, and DMARC, requiring thorough testing.

Key findings

  • Comprehensive SPF Records: SPF records must include all sending sources for each domain, leveraging `include:` statements for third-party senders.
  • SPF Records per Domain/Subdomain: SPF records should be created for every domain and subdomain used for sending email.
  • DMARC Policy Inheritance: Subdomains inherit DMARC policies from the organizational domain unless explicitly overridden using a dedicated DMARC record, configurable with the `sp` tag.
  • Individual DKIM Records: Each email sending source requires its own unique DKIM record, with a recommended key length of 2048 bits.
  • DNS Configuration: Proper DNS configuration is critical for the correct operation of SPF, DKIM, and DMARC, necessitating thorough testing.

Key considerations

  • SPF Record Accuracy: Regularly review and update SPF records to ensure they accurately reflect all authorized sending sources.
  • Subdomain DMARC Policies: Determine whether subdomains require specific DMARC policies or can inherit the organizational domain's policy.
  • DKIM Key Management: Implement a secure process for generating, storing, and rotating DKIM keys.
  • DNS Testing: Thoroughly test DNS configurations to validate the proper function of SPF, DKIM, and DMARC.
Technical article

Documentation from CloudFlare explains that in order to properly set up SPF, DKIM and DMARC for subdomains, you must also properly configure the DNS records to ensure you are authenticating the emails correctly. It recommends thoroughly testing to ensure that the setup is proper.

June 2023 - CloudFlare
Technical article

Documentation from Amazon AWS shares that in order to properly set up DKIM, each email sending source must have its own individual DKIM record set up to avoid any authentication errors. AWS recommends using a 2048 bit key length for all DKIM signatures.

March 2022 - Amazon AWS
Technical article

Documentation from DMARC.org explains that subdomains inherit the DMARC policy from the organizational domain unless a specific DMARC record is published for the subdomain. The 'sp' tag can be used to set a specific policy for subdomains.

September 2022 - DMARC.org
Technical article

Documentation from Google Workspace Admin Help explains that when sending mail from multiple domains, ensure your SPF record includes all sending sources for each domain. It recommends using include: statements to reference the SPF records of third-party senders.

June 2024 - Google Workspace Admin Help
Technical article

Documentation from Microsoft Learn states that SPF records should be created for each domain and subdomain that sends email. This ensures that each sending source is properly authenticated.

August 2022 - Microsoft Learn