Implementing Domain-based Message Authentication, Reporting, and Conformance (DMARC) is a crucial step in securing email communication for organisations. However, when subdomains come into play, the configuration and management of DMARC policies require additional considerations and are often overlooked. This post aims to help you understand how DMARC works with subdomains.
A DMARC DNS record applied to a domain also affect any subdomains, unless a subdomain has its own DMARC DNS record. This means that if example.com has a DMARC record, it influences how email servers handle emails from crm.example.com, unless crm.example.com has its own DMARC DNS record.
N.B. Not to be confused with alignment mode, which specifies how a recipient mail server should determine if a SPF pass or DKIM pass is aligned with the Header From domain and therefore if the message is DMARC compliant.
What we are referring to in this post is what a recipient mail server will do to do to if a message is DMARC non-compliant.
1. Default Inheritance: By default, subdomains inherit the DMARC policy of the parent domain. If the parent domain's DMARC policy is set to reject (`p=reject`), this policy applies to all subdomains.
2. Specifying Subdomain Policies: To define a different policy for any subdomains, use an `sp=` tag in the DMARC DNS record. For example, `sp=quarantine` applies a quarantine policy to all subdomains, regardless of the `p=` policy.
3. Creating Specific Subdomain Records: For more granular control, you can create a separate DMARC record for a specific subdomain. This allows MSPs and IT teams to apply customised policies to individual subdomains, independent of the parent domain's DMARC policy. The most important consideration for a separate subdomain DMARC record is it will override the RUA report destination. An example of where this could be useful is if a subdomain is outsourced for an application and managed by a contractor who should monitor DMARC compliance independently.
1. Assess Your Email Infrastructure: Identify all subdomains used for sending emails and determine if they require a different DMARC policy or RUA report destination from the parent domain. VerifyDMARC will automatically show subdomain activity separately in the Dashboard, where the subdomain does not have its own DMARC record.
2. Define Policies Based on Use Cases: Consider the role of each subdomain in your email ecosystem. Marketing, transactional emails, and internal communications might have different security and deliverability requirements. And subdomains may be monitored or managed by separate teams or contractors who need to have discrete access to the DMARC reports for their responsibility.
3. Monitor and Adjust: After defining DMARC policies for subdomains, continuously monitor DMARC reports to assess their impact on email deliverability and security. Adjust policies as needed to optimise protection and ensure legitimate emails are not impacted.
Effectively managing DMARC policies for subdomains is critical in extending your organisation's email security framework. By understanding the inheritance and customisation options available within DMARC, MSPs and IT teams can ensure that both main domains and subdomains are protected against email spoofing and phishing attacks. Remember, the goal is to implement a DMARC policy that not only secures your email domain but also supports the diverse operational needs of different subdomains, ultimately safeguarding your organisation's reputation and email communication integrity.
Ensuring the legitimacy and accuracy of DMARC reports is critical to avoid wasting resources or making poor security decisions based on faulty data.
Protecting your email communications shouldn’t come at the expense of privacy and security for your organisation, employees, customers and suppliers.
Microsoft issued an advisory (EX765789) notifying admins some Exchange Online mail to third-party email accounts is failing, we go through the steps to fix this if you are affected.