One of the less well-understood aspects of DMARC is how receivers apply DMARC when subdomains are involved.
DMARC uses the Domain Name System (DNS) to store records indicating how email receivers should evaluate incoming messages for authenticity. While it may seem simple at first, the behavior can get complicated. When subdomains are involved there are a couple of important issues to understand.
We’ll cover the first issue — how the DMARC policy records are queried — in this post. In other words, which DNS TXT records do receivers check?
How Receivers Query DMARC Policy Records
Here are the basic rules:
- Receivers check for DMARC records based on the domain found in the RFC5322 From address, more colloquially known as just the ‘From’ address.
- Receivers will make either one or two DNS requests to find a DMARC record for a message, never more.
- If the From address on the message includes a subdomain, then the DMARC policy defined on a parent domain of that subdomain only applies if the parent domain is the ‘organizational domain’ (see below) and if no DMARC policy is defined for the subdomain. DMARC policies defined for any other domains in the tree are ignored.
Let’s work through an example. We’ll consider three messages, each with a From address on example.com or one of its subdomains.
1. DMARC Record Subdomain Lookup Examples
The first set of DMARC records that will be checked is shown in the third column:
| From Address | From Domain | First DMARC Record Domain |
| sender@example.com | example.com | _dmarc.example.com |
| sales@xyz.example.com | xyz.example.com | _dmarc.xyz.example.com |
| support@abc.xyz.example.com | abc.xyz.example.com | _dmarc.abc.xyz.example.com |
If a DMARC record is found at the first DMARC record domain, this lookup process stops. No further queries are performed for DMARC records, and the DMARC record retrieved from DNS for that domain is used for DMARC processing.
But if no DMARC record is found, the receiver may check another domain for the presence of the DMARC record. To determine this second location, DMARC introduces the notion of ‘organizational domain’. While the definition is a little complex, the process for determining the organizational domain is basically as follows:
- Take the domain from the ‘From’ address.
- Check the public suffix list for the largest suffix contained in the domain. For the .com, .edu, and many other popular TLDs, the suffix is just the TLD itself.
- Keep one label past the public suffix and discard the rest.
Some examples:
| Email Address | Organizational Domain |
| sales@xyz.example.com | example.com |
| other@anotherexample.org | anotherexample.org |
| ukuser@abc.service.co.uk | service.co.uk (co.uk is the public suffix) |
Let’s revisit our example above and see whether the receiver can make a second DNS request in each case and, if so, what domain is checked:
| From Address | Organizational Domain | Checks? | Second DMARC Record Domain |
| sender@example.com | example.com | N | N/A |
| sales@xyz.example.com | example.com | Y | _dmarc.example.com |
| support@abc.xyz.example.com | example.com | Y | _dmarc.example.com |
In the first case, no additional DNS lookup is made for the DMARC record, as the organizational domain is the same as the From domain. So there’s no need to make the same check again.
2. DMARC Record Second Lookup
In the second case, a second lookup is made (assuming no record was found on the first lookup). If a DMARC record is defined on _dmarc.example.com, that DMARC record will apply to this message.
3. DMARC Subdomain Lookup
The final case is probably the most confusing. As in the second case, a second lookup will be made and it will be made against the _dmarc.example.com domain. The important thing to note is that even though abc.xyz.example.com is a subdomain of xyz.example.com, there is no DMARC record lookup against _dmarc.xyz.example.com. So even if there’s a DMARC record defined on _dmarc.xyz.example.com, it won’t apply to this message.
We cover the other issue that impacts DMARC use with subdomains — the use of the ‘sp’ tag — in a blog post on “How DMARC works with subdomains and the sp tag.”
Protect All Your Domains and Subdomains with Valimail
Hopefully you now have a better idea of how DMARC record lookups work. Defining DMARC records on subdomains is definitely an advanced topic and, in most cases, is probably not necessary.
Navigating the complexities of DMARC and its implications for your domains and subdomains can be daunting. The intricacies of how DMARC policies are applied to email communications (especially when subdomains come into play) underscore the need for a robust, intelligent solution.
And that’s where Valimail can help.
The challenges associated with managing DMARC records, particularly for organizations with multiple subdomains, can lead to vulnerabilities (if not addressed properly). Valimail’s platform is designed to eliminate these vulnerabilities by offering:
- Automated DMARC Record Management: Valimail automates the configuration and management of DMARC records for both your main domain and any subdomains, ensuring consistent protection across your entire email ecosystem.
- Simplified Policy Enforcement: With Valimail, moving from a policy of “none” to “quarantine” or “reject” is streamlined, making the transition to full DMARC enforcement a smooth process for your organization.
- Comprehensive Visibility: Gain clear insights into your email authentication status across all domains and subdomains, with detailed reporting that helps identify and rectify potential issues before they become problematic.
Ready to secure your domains and subdomains? Talk to one of our experts to learn how Valimail can better protect your brand.