By default, all subdomains inherit the DMARC policy set at the root domain level. This means that if your root domain (example.com) has a DMARC policy in place, all emails sent from subdomains like mail.example.com or info.example.com will automatically follow the same policy.
This inheritance simplifies DMARC management, as you won’t need separate DMARC records for each subdomain if they are all meant to follow the same policy.
If you’d like your subdomains to follow a specific DMARC policy different from the root domain, you can use the ‘sp=’ tag in the DMARC record of your root domain. For example:
v=DMARC1; p=reject; sp=quarantine; rua=mailto:dmarc-reports@example.com;
In this case:
- p=reject applies the ‘reject’ policy to emails from the root domain.
- p=quarantine applies the ‘quarantine’ policy to all subdomains.
This setup can be useful if you want more control over subdomain emails without creating individual DMARC records for each subdomain.
However, In cases where a particular subdomain has its own email-sending practices (for example, marketing.example.com running independently from the main domain’s email system), it may be beneficial to create a separate DMARC record for that subdomain. This approach lets you set a custom policy and manage configurations independently, just as you would for the root domain.
DMARC Reporting for Subdomains:
When you set up a DMARC record for the root domain, all subdomain activity is automatically included in the root domain’s aggregate reports. This way, you can track email authentication results for both the root and subdomains in one place, making it easier to manage your overall DMARC strategy.
In conclusion, DMARC policies for subdomains are inherited from the root domain by default, and you can customize subdomain policies using the ‘sp=’ tag to manage email security more effectively across your domain and subdomains.