惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

GbyAI
GbyAI
The Last Watchdog
The Last Watchdog
TaoSecurity Blog
TaoSecurity Blog
PCI Perspectives
PCI Perspectives
L
LINUX DO - 最新话题
H
Heimdal Security Blog
S
Security Archives - TechRepublic
www.infosecurity-magazine.com
www.infosecurity-magazine.com
T
Troy Hunt's Blog
SecWiki News
SecWiki News
S
Secure Thoughts
The Cloudflare Blog
Last Week in AI
Last Week in AI
Google DeepMind News
Google DeepMind News
Attack and Defense Labs
Attack and Defense Labs
奇客Solidot–传递最新科技情报
奇客Solidot–传递最新科技情报
量子位
K
KPMG report finds enterprise disconnect between AI and its ROI | CIO
V
Visual Studio Blog
N
News and Events Feed by Topic
E
Exploit-DB.com RSS Feed
博客园 - Franky
博客园 - 司徒正美
OSCHINA 社区最新新闻
OSCHINA 社区最新新闻
酷 壳 – CoolShell
酷 壳 – CoolShell
Know Your Adversary
Know Your Adversary
M
MIT News - Artificial intelligence
V
V2EX
Webroot Blog
Webroot Blog
Hacker News - Newest:
Hacker News - Newest: "LLM"
Cyberwarzone
Cyberwarzone
博客园 - 【当耐特】
月光博客
月光博客
Y
Y Combinator Blog
B
Blog RSS Feed
Recent Announcements
Recent Announcements
S
Schneier on Security
H
Hacker News: Front Page
Stack Overflow Blog
Stack Overflow Blog
NISL@THU
NISL@THU
小众软件
小众软件
雷峰网
雷峰网
P
Privacy International News Feed
腾讯CDC
大猫的无限游戏
大猫的无限游戏
博客园 - 叶小钗
C
Cyber Attacks, Cyber Crime and Cyber Security
V
Vulnerabilities – Threatpost
H
Hackread – Cybersecurity News, Data Breaches, AI and More
N
News and Events Feed by Topic

Resend RSS Feed

6 Tips for Accessible Emails Welcoming Manoel do Amaral, our new Brand Designer Welcoming Michael Vaz, our new Customer Success Engineer Six Steps to Improve Your Sender Reputation Welcoming Tatira Andrade, our new Executive Assistant Welcoming Pedro Ivo Hudson, our new Design Engineer Welcoming Diel Duarte, our new Open source Engineer Welcoming Areia Spinner, our new Recruiter Resend Forward: A Conference about Craft React Email 6.0 Custom Tracking Domains AI Email Editor Introducing Automations Welcoming Ahmed Tolba, our new SRE Engineer Welcoming Aneil Singh, our new Founding Account Executive Welcoming Lucas Motta, our new Software Engineer Welcoming Trey Knowles, our new Founding Account Executive Welcoming Anxhela Carciu, our new SRE Engineer Introducing DMARC Analyzer Welcoming Evan Thibodeau, our new Customer Success Engineer Welcoming Derich Pacheco, our new Software Engineer Welcoming Alec Ventura, our new Data Engineer Welcoming Felipe Freitag, our new Software Engineer Welcoming Mateusz Wos, our new Software Engineer Incident report for February 15, 2026 Email automation for OpenClaw How to Create a DevTools Agent Skill Introducing Email Skills Why You Should Embrace the Promotions Tab Slater Smith, our new Customer Success Engineer Do You Need a Warmup Service? Welcoming Zá Scalon, our new Brand Designer How Replit Built Effortless Email Sending Features 1,000,000 users Top 10 new features in 2025 Welcoming Danilo Campos, our new Design Engineer How Dub Uses Webhooks to Power Features Incident report for November 18, 2025 Resend Forward 5: Wrap Up One More (AI) Thing React Email 5.0 Unsubscribe Topics New Contacts Experience Introducing Templates Inbound Emails $3M to Make Email Safer Hacktoberfest 2025 Four Ways to Hurt Your Sender Reputation Resend MCP Hackathon Welcoming Christina Martinez, our new Developer Experience Engineer How to read a DMARC report Welcoming Erin Levine, our new Chief of Staff How to Validate Form Inputs Engineering an AI App Welcoming Lucas da Costa, our new Software Engineer Welcoming Lucas Vieira, our new Software Engineer Resend acquires Briefer How Raycast Modernized their Email Sending How to Get Email Consent DMARC Policy Modes Welcoming Gabriel Miranda, our new Software Engineer Rebranding Resend The 7 Best Email Verification APIs for Developers Welcoming Pedro Gomes, our new Software Engineer Do You Need a Dedicated IP? The 6 best notification infrastructure services The Fixer Why Your Emails are Going to Spam Engineering Idempotency Keys Microsoft’s bulk sending requirements for 2025 Welcoming Rehan van der Merwe, our new Devops Engineer 400,000 users and beyond Welcoming Cassio Zen, our new Software Engineer Resend acquires Mergent How to warm up a new domain Welcoming Carolina Josephik, our new Software Engineer Launch Week: Behind the Scenes Welcoming Isabella Aquino, our new Software Engineer Resend Forward 4: Wrap Up React Email 4.0 Multiplayer Editor Broadcast API Multiple Teams new.email Public Launch Welcoming Anna Ward, our new Postmaster How Gumroad Migrated 100M Emails to Resend Welcoming João Melo, our new Software Engineer Welcoming Jp Valery, our new Customer Success Engineer What is AX (Agent Experience) and how to improve it Welcoming Pauline Chin, our new Customer Success Engineer Introducing new.email How we use Friction Logs to improve the product Top 10 Email Deliverability Tips Welcoming Giovana Yahiro, our new Designer Engineer What BIMI's Changes Mean for Email Top 10 new features in 2024 Design Engineering an X Component Welcoming Alexandre Cisneiros, our new Software Engineer Resend raises $18M Series A Welcoming Danilo Woznica, our new Designer Engineer
How DMARC Applies to Subdomains
Jp Valery · 2025-06-18 · via Resend RSS Feed

Most advice about DMARC stops at the basics: publish a policy, monitor reports, and eventually enforce. But what happens when emails come from subdomains like mail.example.com or newsletters.example.com?

Let's examine how DMARC works with subdomains. Along the way, we’ll answer:

  • How does a receiving server determine which DMARC policy to apply?
  • When does a subdomain inherit the parent domain’s policy?
  • Should you use the sp tag to manage subdomain behavior?

This guide assumes you understand the basics DMARC. If you're not sure on the tags available or the policies none, quarantine, or reject, start by reading our guide on DMARC policy modes.

Before we begin, let's first understand the organizational domain (or parent domain), as DMARC depends heavily upon it.

Understanding the organizational domain

Every domain on the internet has a base domain from which subdomains are derived. DMARC relies on this concept to decide where to look for policy information.

Domain NameOrganizational Domain
yourdomain.tldyourdomain.tld
mail.yourdomain.tldyourdomain.tld
send.mail.yourdomain.tldyourdomain.tld

Your base domain is called the organizational domain, and it’s not always just the last two segments of a hostname. For example, in the U.K., the entire yourdomain.co.uk is considered the organizational domain, not merely co.uk.

DMARC validators reference a public suffix list to determine the organizational domain. This list defines what counts as a "suffix" (or top-level domain) (like .com, .co.uk, etc.) and helps determine where a domain truly starts.

How receiving servers find a DMARC policy

When a mail server receives a message and wants to apply DMARC, it follows a process called policy discovery.

Here's a simplified diagram of the policy discovery process:

Here's what happens behind the scenes:

  1. Extract the domain in the “From” header (called the RFC5322.From domain).
  2. Look up a DMARC record at that domain.
    • If exactly one valid record is found, use it.
    • If multiple records are found, DMARC is skipped.
    • If none are found, continue.
  3. Look up a DMARC record on the organizational domain.
    • Again, if one record is found, use it.
    • If none or multiple records are found, DMARC is skipped.
  4. Check that the record includes a valid p tag.
    • If not, but there’s a valid rua (reporting address), the server defaults to p=none.
    • If there’s no valid p and no rua, DMARC isn’t applied.

Intermediate subdomains are skipped

Importantly, only two DNS queries are made at most — one for the exact domain and one for the organizational domain. Intermediate subdomains are skipped entirely.

For example, if the “From” domain is send.mail.yourdomain.tld, a policy discovery will check the following domains in this order:

  • send.mail.yourdomain.tld
  • yourdomain.tld

It will not check intermediate subdomains like mail.yourdomain.tld, even if those records exist.

How policies apply to subdomains

The DMARC policy (i.e.,p=none) on your organizational domain cascades to subdomains, but more specific policies can override it.

There are three scenarios to consider:

1. Subdomain publishes its own record (most specific policy)

Any subdomain that publishes its own DMARC policy (with a p= tag) will override whatever the organizational domain says, including the sp value.

In this example, mail.yourdomain.tld will follow its own policy (p=none), not the sp=reject from the organizational domain.

2. Subdomain follows the organizational domain’s sp tag (less specific policy)

The optional sp tag (short for subdomain policy) can be set on the organizational domain only. It allows you to treat subdomains differently from the organizational domain, without having to publish a DMARC record on each subdomain.

If the subdomain doesn’t publish its own record, it will inherit the sp value if it exists.

Here, the base domain enforces p=reject, but all subdomains default to p=quarantine since the sp tag has higher precedence than the p tag for subdomains.

The sp tag is useful if your main domain is locked down, but you’re still gradually ramping up enforcement on subdomains.

Should you use sp on a subdomain?

No, there’s no reason to include sp= in a DMARC record on a subdomain. It will always be entirely ignored, as the sp tag is only supported on the organizational domain.

In this case, sp=reject is meaningless. The sp tag doesn’t support “nested inheritance.”

3. Subdomain inherits the organizational domain’s policy (default if no other policy is found)

If a subdomain doesn't have its own DMARC record, it will follow the organizational domain’s p value.

In this case, mail.yourdomain.tld and all other subdomains without DMARC records will implicitly enforce p=reject from the organizational domain.

If you're still testing the waters with DMARC or managing multiple systems, your best move is to start simple and slowly tighten up.

1. Start with a single policy

A safe default that covers your whole domain and subdomains looks like this:

2. Tighten your organizational domain first

Once you're confident all sending sources on your organizational domain are aligned and authenticated, you can tighten this up:

The sp=none tag means that subdomains will still use the safer none policy, but the organizational domain will enforce p=reject.

3. Tighten up all subdomains

Once you're confidence all sending sources on your subdomains are aligned and authenticated, you can tighten this up by either changing the sp tag to reject or by removing the sp tag entirely and relying on the p tag to cascade:

This configuration ensures that your primary domain and all of its subdomains are protected. If you need to make exceptions, publish explicit policies only on those subdomains.

Unless you’re intentionally managing complex routing or vendor-specific setups, you generally don’t need to use the sp tag. Set a strong policy at the organizational level and only override when absolutely necessary.

Summary

Here's what to remember about DMARC and subdomains:

  1. DMARC only checks two places: the domain in the From header and its organizational domain.
  2. Subdomains inherit the organizational domain’s p= tag unless overridden — or unless sp= is specified at the organizational level.
  3. sp= only works when defined on the organizational domain.
  4. Avoid putting sp= on subdomains (it will be ignored), as it can only be applied to the organizational domain.

此内容由惯性聚合(RSS阅读器)自动聚合整理,仅供阅读参考。 原文来自 — 版权归原作者所有。