What is a domain trust tree?
Still have a question, spotted an error, or have a better explanation or a source we should cite?
Imagine your company runs a main brand at company.com, a marketing subdomain at news.company.com, and a transactional sender at receipts.company.com. You might think of these as completely separate sending identities. In practice, they're connected in ways that can hurt you.
That web of connections is what a domain trust tree maps out. It's a way of visualizing every relationship that links your sending domains together and understanding which reputation signals can flow between them.
The tree has a few key layers.
Root domains sit at the top. Your root domain (company.com) sets the baseline. Subdomains branch off from it and often inherit signals from the root, especially when mailbox providers evaluate the alignment between your envelope, header, and authentication records.
Shared infrastructure creates invisible connections even between domains you've kept separate. If two domains send through the same IP pool or the same ESP account, those links exist whether you mapped them or not. A reputation hit on one can pull the other down.
Link and tracking domains are the most overlooked branch. If your marketing emails use click.company.com as a tracking redirect, that subdomain is now part of your trust tree. If it gets flagged, the flag follows your links back to the sender.
The reason this matters comes down to reputation inheritance. Mailbox providers don't always evaluate each domain in a vacuum. They look at context. A subdomain with clean history can be dragged down if the root domain starts generating spam complaints. And a root domain can absorb damage from a poorly managed subdomain that was never fully isolated.
Mapping your trust tree helps you find two things: contamination pathways (where reputation damage can spread) and isolation gaps (places you assumed were separate but actually share infrastructure or DNS). Both of these show up in deliverability problems that are genuinely hard to diagnose without the map.
Still one common contamination scenario worth watching for: a company uses the same ESP account for both marketing and transactional sends without separating the streams. A complaint spike from a promotional campaign drags down the transactional reputation. Receipts and password resets start landing in spam. The trust tree would have shown the connection before the problem hit.
If you want to check where your domains sit right now, our free Email Header Analyzer can show you how your authentication chains are connected across a real send. Or if you'd rather walk through the full picture with a human, drop us a message via the SOS line and we'll help you map it out.
Contributors
Who worked on this answer
Every name links to their profile. Every company links to their site. Real people, real accountability.