DMARC Record for Subdomains

DMARC records can be implemented separately on subdomains, however this can get a little complicated.

For an email sent from, the DMARC record on the subdomain will take precedence over the Top Level Domains’ ( DMARC record. However, for an email sent from, the DMARC record of will not apply, rather the DMARC record on the main domain ( will apply here.

For an email sent by a subdomain, that subdomain’s DMARC record applies. But a subdomain DMARC record doesn’t apply to it’s further subdomains (subdomains of the subdomain).

Consider the following example ‘from addresses’ along with the DMARC query performed by the recipients.

alt text

The first scenario is the most simplest, where the From domain is a TLD (, and hence the domain being queried for authentication of the DMARC record.

The second scenario is where the subdomain,, is being used to send emails. The recipient will first query the DMARC record, if any, at the subdomain level. If no DMARC record is found, then it will query the TLD ( and verify that DMARC record.

The third scenario can be a little tricky. The email is being sent from a subdomain of the subdomain,, where the recipient MailServer would first query the DMARC record on the subdomain level If no DMARC is found, the second DMARC query will be on the TLD,, instead of the subdomain

In short, DMARC can be configured separately on a subdomain. However, it will not apply to a subdomain of the subdomain.