Using a Subdomain Policy with DMARC

How DMARC receivers retrieve policy

DMARC receivers are instructed per specification to retrieve the DMARC DNS record using the 5322.From domain of an inbound message.  The retrieved policy is then applied for this domain and all subdomains according to policy.  If a record does not exist at that location, an Organizational Domain is determined and the record is retrieved from that location and policy is applied to the organizational domain and all subdomains according to policy.  In both cases, the sp= parameter (if present - it is optional) is used to differentiate policy applied to subdomains.

How to determine the appropriate approach?

Since the protocol allows for a separate policy to be applied at the organizational and subdomain level, how and why would you utilize this?  The first step is to determine if a valid email is sent using subdomains.  If not, you can quickly prevent any abuse of the subdomains by specifying a reject policy in the organizational domain DMARC record (p=none; sp=reject).  Once you also achieve a reject posture on the organizational domain, the sp parameter may be removed as it would then be redundant with the overall p= directive.

Do you send valid email from subdomains of this organizational domain?

If valid email is sent from subdomains, decide if you can address all authentication issues simultaneously or if you must to address them separately, as in the case of a subdomain used for third party sending.  You will then want to publish specific DMARC records for each of your subdomains first and include the sp=none in your organizational domain record to prevent unanticipated results. 

*Remember: if a specific policy record for a subdomain does not exist in DNS, the policy from the organizational domain will be applied.

The fundamental issue is that if you must use subdomain policy to differentiate, you must take care to publish a policy for all domains which differ from the organizational domain policy OR subdomain policy to avoid confusion. 

Thankfully, the Agari portal will tell you when a policy is specifically published or inherited from an organizational domain,  If the subdomain DMARC policy is inherited it will be bracketed '[  ]' on the domain status screen.

In the example below, the specific subdomain DMARC policy may be set different from the organizational domain.


For further information on our DMARC tool, please review the following article:

For further information on configuring subdomains and organizational domains, please review:

For further DMARC information, please review more of our articles and/or visit:


Have more questions? Submit a request


Please sign in to leave a comment.
Powered by Zendesk