< back to blog

Understanding DMARC and Subdomains

March 21, 2024
DMARC Protocol

Introduction

Implementing Domain-based Message Authentication, Reporting, and Conformance (DMARC) is a crucial step in securing email communication for organisations. However, when subdomains come into play, the configuration and management of DMARC policies require additional considerations and are often overlooked. This post aims to help you understand how DMARC works with subdomains.

The Basics of DMARC for Subdomains

A DMARC DNS record applied to a domain also affect any subdomains, unless a subdomain has its own DMARC DNS record. This means that if example.com has a DMARC record, it influences how email servers handle emails from crm.example.com, unless crm.example.com has its own DMARC DNS record.

N.B. Not to be confused with alignment mode, which specifies how a recipient mail server should determine if a SPF pass or DKIM pass is aligned with the Header From domain and therefore if the message is DMARC compliant.

What we are referring to in this post is what a recipient mail server will do to do to if a message is DMARC non-compliant.

Key Considerations for DMARC and Subdomains

1. Default Inheritance: By default, subdomains inherit the DMARC policy of the parent domain. If the parent domain's DMARC policy is set to reject (`p=reject`), this policy applies to all subdomains.
2. Specifying Subdomain Policies: To define a different policy for any subdomains, use an `sp=` tag in the DMARC DNS record. For example, `sp=quarantine` applies a quarantine policy to all subdomains, regardless of the `p=` policy.
3. Creating Specific Subdomain Records: For more granular control, you can create a separate DMARC record for a specific subdomain. This allows MSPs and IT teams to apply customised policies to individual subdomains, independent of the parent domain's DMARC policy. The most important consideration for a separate subdomain DMARC record is it will override the RUA report destination. An example of where this could be useful is if a subdomain is outsourced for an application and managed by a contractor who should monitor DMARC compliance independently.

Implementing DMARC for Subdomains

1. Assess Your Email Infrastructure: Identify all subdomains used for sending emails and determine if they require a different DMARC policy or RUA report destination from the parent domain. VerifyDMARC will automatically show subdomain activity separately in the Dashboard, where the subdomain does not have its own DMARC record.
2. Define Policies Based on Use Cases: Consider the role of each subdomain in your email ecosystem. Marketing, transactional emails, and internal communications might have different security and deliverability requirements. And subdomains may be monitored or managed by separate teams or contractors who need to have discrete access to the DMARC reports for their responsibility.
3. Monitor and Adjust: After defining DMARC policies for subdomains, continuously monitor DMARC reports to assess their impact on email deliverability and security. Adjust policies as needed to optimise protection and ensure legitimate emails are not impacted.

Challenges and Solutions

  • Managing Multiple Policies: The complexity of managing different DMARC policies for multiple subdomains can be challenging. Utilise DMARC management tools that offer awareness at a glance. VerifyDMARC will highlight domains that have a catch-all subdomain policy of `sp=none` to ensure this setting is not overlooked and potentially leaving the backdoor open for abuse.
  • Balancing Security and Deliverability: Finding the right policy for each subdomain that balances security needs without hindering email deliverability requires careful testing and gradual implementation.
  • Keeping Up with Changes: As organisations evolve, new subdomains may be used, and email sending practices may change. Ensure your DMARC reporting solution automatically displays subdomains in use as this could indicate malicious activity or shadow IT.

Conclusion

Effectively managing DMARC policies for subdomains is critical in extending your organisation's email security framework. By understanding the inheritance and customisation options available within DMARC, MSPs and IT teams can ensure that both main domains and subdomains are protected against email spoofing and phishing attacks. Remember, the goal is to implement a DMARC policy that not only secures your email domain but also supports the diverse operational needs of different subdomains, ultimately safeguarding your organisation's reputation and email communication integrity.

START FREE TRIAL
Is DANE Right for Your Inbound Email Security?

Is DANE Right for Your Inbound Email Security?

We discuss inbound email security options for SMEs, considering MTA-STS over DANE due to its simplicity and lower risk. We outline a step-by-step approach to upgrade email security using TLS reporting and MTA-STS.

Security
TLS Reporting
VerifyDMARC Launches SMTP TLS Reporting

VerifyDMARC Launches SMTP TLS Reporting

The introduction of SMTP Transport Layer Security (TLS) Reporting allows customers to collect crucial insights on the performance of their MTA-STS and DANE policies.

Product Updates
TLS Reporting
Update: North Korean Actors Exploit Weak DMARC Security

Update: North Korean Actors Exploit Weak DMARC Security

In response to a recent FBI, State Department, and NSA advisory, we highlight risks of weak DMARC security and offer actionable steps to protect your organisation, customers, and suppliers.

DMARC Protocol
Security