How do subdomain alignments inherit policy?

Still have a question, spotted an error, or have a better explanation or a source we should cite?

You're sending from a subdomain like newsletter@mail.yourcompany.com, and you're wondering if your parent domain's DMARC policy covers it automatically. The answer depends on what you've published.

DMARC policy inheritance is real, but limited. If your subdomain (mail.yourcompany.com) doesn't have its own DMARC record, it inherits the policy from yourcompany.com. The "p=" tag in your root domain tells both. So if your root says "p=reject," that applies to mail.yourcompany.com too, unless you've set a different subdomain policy with the "sp=" tag.

But here's the catch: inheritance only works for policy. SPF and DKIM don't inherit automatically. They're separate records. If you're sending from mail.yourcompany.com, that subdomain needs its own SPF record (or to be explicitly included in your root SPF with an include directive). It also needs its own DKIM signing keys published in DNS at mail._domainkey.yourcompany.com.

When do you use the sp= tag? Use it when you want subdomains to have a different policy than your root. Maybe your root is "p=reject" but you've got a marketing subdomain that isn't ready for reject yet. Set "sp=quarantine" just for subdomains.

Check your setup. See how policy alignment actually works when SPF and DKIM send separately. Use our DMARC parser to see whether your authentication chain is complete across subdomains.

Contributors

Who worked on this answer

Every name links to their profile. Every company links to their site. Real people, real accountability.

Ask an AI · tailored to your setup

Verify subdomain authentication setup

I'm sending from a subdomain. Does my parent domain's DMARC policy apply? Do I need to set up SPF and DKIM separately for each subdomain?

Edit the yellow boxes, then send to the AI of your choice.