Subdomains and DMARC — Don't Leave the Back Door Open

Name: DMARC Analyzer Pro
Availability: InStock
Author: DMARC Analyzer Pro

March 1, 2025 · DMARC Analyzer Pro

Your main domain is protected, but what about subdomains? Learn why subdomain DMARC policy matters and how to secure every part of your domain.

You've spent weeks getting your primary domain to `p=reject`. SPF is clean, DKIM is signing properly, and your reports look healthy. But have you checked your subdomains? Attackers know that organisations focus on their main domain and often leave subdomains unprotected — making them an easy spoofing target.

How DMARC handles subdomains

DMARC includes a `sp=` tag specifically for subdomain policy. If you don't set it, your subdomains inherit the policy from your organisational domain. This means if your main domain is at `p=reject` without an `sp=` tag, your subdomains are also at reject — which sounds good until you realise it might be blocking legitimate subdomain email you didn't account for.

Conversely, if your organisational domain is at `p=none` because you're still in the monitoring phase, all your subdomains are also at `p=none` — including subdomains that don't send email at all and should be locked down immediately.

The subdomain spoofing problem

Attackers love subdomains because they look trustworthy. An email from `support.yourcompany.com` or `billing.yourcompany.com` carries nearly the same weight as one from `yourcompany.com` in the eyes of most recipients. If these subdomains don't have their own DMARC policy or inherit a weak one, they're wide open for spoofing.

The most dangerous subdomains are the ones that don't send email. Since no legitimate email originates from them, there's no risk of false positives — they can and should be locked down immediately with their own `p=reject` record, a null SPF record (`v=spf1 -all`), and no DKIM keys.

Strategy for subdomain protection

Start by inventorying every subdomain that exists in your DNS. Categorise them into three groups: subdomains that actively send email, subdomains that might send email in the future, and subdomains that should never send email.

For active sending subdomains, follow the same phased DMARC deployment approach as your main domain — monitor, remediate, and enforce. Each subdomain can have its own DMARC record with its own policy, independent of the organisational domain.

For non-sending subdomains, publish restrictive records immediately. There's no downside to rejecting all email from a subdomain that shouldn't be sending any.

For the organisational domain, use the `sp=` tag strategically. Setting `sp=reject` while your main domain is still at `p=quarantine` or `p=none` lets you lock down subdomains aggressively while still working through your main domain's enforcement journey.

Monitoring subdomain activity

Your DMARC aggregate reports include data for all subdomains, not just your main domain. Pay attention to authentication results for subdomains — unexpected sending activity from a subdomain that shouldn't be sending email is a strong indicator of either misconfiguration or active spoofing.

DMARC Analyser Pro provides per-subdomain dashboards and alerting, giving you granular visibility into every part of your domain's email ecosystem. Because protecting your front door doesn't count for much if the back door is wide open.

---