FAQ

Can I monitor subdomains with DMARC?

Yes. Subdomains inherit your organisational DMARC policy unless overridden with sp= or given their own _dmarc record. Here's how to control and monitor them.

2 min readLast updated 14 June 2026
Jump to section

Yes - and it's worth doing, because attackers often spoof subdomains (like mail.example.com or news.example.com) precisely because people forget about them.

How subdomain policy works

There are three ways a subdomain's DMARC behaviour is decided:

  1. Inheritance (default). If a subdomain has no _dmarc record of its own, it inherits the organisational domain's policy. So a policy on _dmarc.example.com automatically covers news.example.com.
  2. The sp= tag. On your organisational _dmarc record you can set a separate subdomain policy with sp=. This lets you treat subdomains differently from the top-level domain:
v=DMARC1; p=reject; sp=quarantine; rua=mailto:<token>@rua.blankitt.com

Here the apex domain is at reject while all subdomains (without their own record) are at quarantine. If you omit sp=, subdomains simply follow p=. 3. A dedicated _dmarc record on the subdomain. Publish a separate record at _dmarc.news.example.com to give that subdomain its own fully independent policy and reporting:

v=DMARC1; p=none; rua=mailto:<token>@rua.blankitt.com

A record on the subdomain overrides both inheritance and the parent's sp=.

Monitoring subdomains in Blankitt DMARC

  • Add each subdomain you want to track as its own entry on the Domains page. Each gets its own compliance Grade A-F, Compliance Scorecard, Policy Progression Wizard, and source-IP breakdown.
  • Point each subdomain's rua= (in its own _dmarc record) at your unique <token>@rua.blankitt.com address so you receive dedicated reports for it. If you rely on inheritance instead, the subdomain's mail is reported under the organisational domain.
  • The number of domains (and subdomains) you can add depends on your plan - Free covers 1, Starter 5, Pro 25, Business 100, with extra domains available as a £4/mo add-on on paid tiers. Each subdomain counts as a domain.

Start by giving active sending subdomains their own _dmarc record at p=none so you get clean, separate reporting while you align their senders. Use sp= on the apex to keep a safe default (e.g. sp=quarantine or sp=reject) for any subdomain you don't send from - this clamps down on spoofing of unused subdomains without affecting your real mail flow.

Still stuck? Email support or open the support widget in the bottom-right.