How DMARC Handles Domains and Subdomains in Email Addresses - Valimail (2024)

One of the less well-understood aspects ofDomain-based Message Authentication, Reporting & Conformance (DMARC)is how receivers apply DMARC when subdomains are involved.

DMARC uses the Domain Name System (DNS) to store records indicating how email receivers should evaluate incoming messages for authenticity. While it may seem simple at first, the behavior can get complicated.When subdomains are involved, there are a couple of important issues to understand.

In this post, we’ll cover the first issue—how the DMARC policy records are queried. In other words, which DNS TXT records do receivers check?

How receivers query DMARC policy records

Here are the basic rules:

  1. Receivers check for DMARC records based on the domain found in the RFC5322 From address, more colloquially known as justthe From address.
  2. Receivers will make either one or two DNS requests to find a DMARC record for a message, never more.
  3. If the From address on the message includes a subdomain, then the DMARC policy defined on a parent domain of that subdomain only applies if the parent domain is the organizational domain (see below), and if no DMARC policy is defined for the subdomain. DMARC policies defined for any other domains in the tree are ignored.

Let’s work through an example. We’ll consider three messages, each with a From address on example.com or one of its subdomains.

1. DMARC record subdomain lookup examples

The first set of DMARC records that will be checked is shown in the third column:

From AddressFrom DomainFirst DMARC Record Domain
sender@example.comexample.com_dmarc.example.com
sales@xyz.example.comxyz.example.com_dmarc.xyz.example.com
support@abc.xyz.example.comabc.xyz.example.com_dmarc.abc.xyz.example.com

If a DMARC record is found at the first DMARC record domain, this lookup process stops. No further queries are performed for DMARC records, and the DMARC record retrieved from DNS for that domain is used for DMARC processing.

But if no DMARC record is found, the receiver may check another domain for the presence of the DMARC record. To determine this second location, DMARC introduces the notion of organizational domain. While the definition is a little complex, the process for determining the organizational domain is basically as follows:

  1. Take the domain from the From address.
  2. Check the public suffix list for the largest suffix contained in the domain. For the.com,.edu, and many other popular TLDs, the suffix is just the TLD itself.
  3. Keep one label past the public suffix and discard the rest.

Some examples:

Email AddressOrganizational Domain
sales@xyz.example.comexample.com
other@anotherexample.organotherexample.org
ukuser@abc.service.co.ukservice.co.uk (co.uk is the public suffix)

Let’s revisit our example above and see whether the receiver can make a secondDNS requestin each case and, if so, what domain is checked:

From AddressOrganizational DomainChecks?Second DMARC Record Domain
sender@example.comexample.comNN/A
sales@xyz.example.comexample.comY_dmarc.example.com
support@abc.xyz.example.comexample.comY_dmarc.example.com

In the first case, no additional DNS lookup is made for the DMARC record, as the organizational domain is the same as the From domain. So there’s no need to make the same check again.

2. DMARC record second lookup

In the second case, a second lookup is made (assuming no record was found on the first lookup). If a DMARC record is defined on _dmarc.example.com, that DMARC record will apply to this message.

3. DMARC subdomain lookup

The final case is probably the most confusing. As in the second case, a second lookup will be made and it will be made against the _dmarc.example.com domain. The important thing to note is that even though abc.xyz.example.com is a subdomain of xyz.example.com, there is no DMARC record lookup against _dmarc.xyz.example.com. So even if there’s a DMARC record defined on _dmarc.xyz.example.com, it won’t apply to this message.

We cover the other issue that impacts DMARC use with subdomains — the use of the sp tag — in a blog post on “How DMARC works with subdomains and the sp tag.”

Protect all your domains and subdomains with Valimail

Hopefully, you now have a better idea of how DMARC record lookups work. Defining DMARC records on subdomains is definitely an advanced topic and, in most cases, is probably not necessary.

Navigating the complexities of DMARC and its implications for your domains and subdomains can be daunting. The intricacies of how DMARC policies are applied to email communications (especially when subdomains come into play) underscore the need for a robust, intelligent solution.

And that’s where Valimail can help.

The challenges associated with managing DMARC records, particularly for organizations with multiple subdomains, can lead to vulnerabilities (if not addressed properly). Valimail’s platform is designed to eliminate these vulnerabilities by offering:

  • Automated DMARC Record Management: Valimail automates the configuration and management of DMARC records for both your main domain and any subdomains, ensuring consistent protection across your entire email ecosystem.
  • Simplified Policy Enforcement: With Valimail, moving from a policy of none to quarantine or reject is streamlined, making the transition to full DMARC enforcement a smooth process for your organization.
  • Comprehensive Visibility: Gain clear insights into your email authentication status across all domains and subdomains, with detailed reporting that helps identify and rectify potential issues before they become problematic.

Ready to secure your domains and subdomains? Learn how Valimail can better protect your brand.

TALK TO ONE OF OUR DMARC EXPERTS

How DMARC Handles Domains and Subdomains in Email Addresses - Valimail (2024)

FAQs

How DMARC Handles Domains and Subdomains in Email Addresses - Valimail? ›

By default, the DMARC policy that is set for an organizational domain will apply to any subdomains—unless a DMARC record has been published for a specific subdomain. However, domain owners may set separate policies for all subdomains with the “sp” tag (for subdomain policy). It uses the same syntax as the p tag.

How does DMARC work for subdomains? ›

Subdomains typically follow the DMARC policy set for the parent domain unless a specific policy is defined for the subdomain. The 'sp' attribute allows for overriding this default behavior. Even if a subdomain's DMARC record sets a policy to 'none,' it will still take precedence over the parent domain's policy.

What is Valimail DMARC? ›

Valimail is the only DMARC vendor that offers a complete solution for both inbound and outbound email protection against phishing attacks.

What is the DMARC policy tag for subdomains? ›

When creating a DMARC record for a organizational domain (think google.com), a domain owner can add an "sp" tag to the DMARC record. This tag specifies what the policy should be for ALL subdomains of that domain.

How does DMARC work email? ›

Domain-based Message Authentication Reporting & Conformance (DMARC) is an email security protocol. DMARC verifies email senders by building on the Domain Name System (DNS), DomainKeys Identified Mail (DKIM), and Sender Policy Framework (SPF) protocols.

How do domains and subdomains work? ›

Follow. Regular domains are your standard URLs like splashthat.com or splashthat. events. Subdomains are a unique URL that lives on your purchased domain as an extension in front of your regular domain like support.splashthat.com or blockparty.splashthat.com.

How do I add a subdomain to Valimail? ›

To do this, log in to your Valimail account and click on the "Domains" tab. From there, click on the organizational domain of your choosing and scroll to the bottom of that page. Once you get to the bottom of that page you can click on "Add Email Subdomain" to enter the subdomain name in that field.

What is the best practice for DMARC policy? ›

Set Up DMARC Policy: Gradually enforce DMARC policies by starting with a monitoring-only policy (p=none). This allows you to gather data on email sources and potential issues without impacting email delivery. DMARC records use a "p=" tag to indicate the DMARC policy.

Can a domain have 2 DMARC records? ›

A domain can only have one DMARC record.

How many domains use DMARC? ›

About 80% of all email inboxes worldwide support DMARC, according to Valimail's latest research report. Based on Valimail's real-time DNS analysis of tens of millions of domains globally, as of July 2019, more than 784,000 domains use DMARC — more than twice as many as were using it at this time last year.

Can you send emails without DMARC? ›

They want to make emails more secure and prevent cyber crimes or data breaches from happening. If you send 5000 emails or more without having a DMARC record in your DNS, your emails might get blocked or go to spam, hurting your deliverability.

What is the DMARC policy for your domain? ›

A DMARC policy tells a receiving email server what to do after checking a domain's Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM) records, which are additional email authentication methods. DMARC and other email authentication methods are necessary in order to prevent email spoofing.

Does DMARC improve email deliverability? ›

ISPs want to ensure their customers receive legitimate messages and are not receiving any spam. ISPs are more likely to let messages pass from a domain that has published a DMARC record. Therefore, publishing a DMARC record in the domain (which is used for email marketing) can improve email deliverability.

How does subdomain delegation work? ›

The process of subdomain delegation is where an authorization is required for a subdomain to be managed by another company/entity. The user usually authorizes Adobe to manage all aspects of the email sending domain and if it is in hosted deployment mode.

Does Dnssec apply to subdomains? ›

In order to use DNSSEC for a subdomain setup, DNSSEC must be enabled on the parent zone. Ideally, you should also wait 12 to 24 hours after enabling DNSSEC on the parent zone to ensure DNS resolvers provide the same DNS query responses.

How does DNS handle subdomains? ›

Subdomains can point to the same DNS server as the associated domain name, or to their own DNS zone. To speed up the loading time for certain webpages or subdomains, some webmasters create a DNS subdomain delegation. This assigns a server to each subdomain.

Does DKIM apply to subdomains? ›

Some domain providers let you add a DKIM TXT record directly to the subdomain, using the same steps in Turn on DKIM for your domain. If your domain provider doesn't let you add TXT records to a subdomain, add a modified TXT record to the parent domain. This enables DKIM for the subdomain.

References

Top Articles
Latest Posts
Recommended Articles
Article information

Author: The Hon. Margery Christiansen

Last Updated:

Views: 5776

Rating: 5 / 5 (50 voted)

Reviews: 89% of readers found this page helpful

Author information

Name: The Hon. Margery Christiansen

Birthday: 2000-07-07

Address: 5050 Breitenberg Knoll, New Robert, MI 45409

Phone: +2556892639372

Job: Investor Mining Engineer

Hobby: Sketching, Cosplaying, Glassblowing, Genealogy, Crocheting, Archery, Skateboarding

Introduction: My name is The Hon. Margery Christiansen, I am a bright, adorable, precious, inexpensive, gorgeous, comfortable, happy person who loves writing and wants to share my knowledge and understanding with you.