DMARC for Multiple Domains
DMARC for Multiple Domains
Overview
Many organisations have more than one domain — a primary domain, regional variants, product brands, recently acquired companies, or parked domains that don't send email at all. DMARC needs to be configured for each one.
Why every domain needs DMARC
Attackers don't just spoof your primary domain. They also target:
- Subdomains of your primary domain
- Domains you own but don't actively use
- Recently acquired company domains
- Geographic variants (yourcompany.co.uk, yourcompany.de, etc.)
A parked domain with no email activity and no DMARC record is a free spoofing opportunity. Attackers can send email from [email protected] with no restrictions.
Subdomains
Your DMARC policy covers your root domain. What about subdomains?
By default, your root DMARC policy applies to subdomains that don't have their own DMARC record. But you can set a different policy for subdomains using the sp= tag.
_dmarc.yourdomain.com TXT "v=DMARC1; p=reject; sp=reject; rua=mailto:[email protected]"| Tag | Applies to |
|---|---|
p= |
The root domain (yourdomain.com) |
sp= |
All subdomains that don't have their own DMARC record |
When to use sp= differently from p=
Start monitoring before root enforcement: If you need more time to audit subdomain senders before enforcement:
p=reject; sp=quarantineSending subdomains need their own records: If a subdomain actively sends email (e.g., marketing.yourdomain.com), give it its own DMARC record:
_dmarc.marketing.yourdomain.com TXT "v=DMARC1; p=reject; rua=mailto:[email protected]"Parked domains (no email sent)
For domains you own but don't use for email, publish a restrictive DMARC record to prevent spoofing:
_dmarc.parked-domain.com TXT "v=DMARC1; p=reject; rua=mailto:[email protected]"Also publish a null SPF record to explicitly say no email should come from this domain:
parked-domain.com TXT "v=spf1 -all"And add a null MX record:
parked-domain.com MX 0 .This tells the world: nothing sends email from this domain, and anyone who claims to is lying.
Multiple active domains
For each domain you actively use for email, the full authentication setup applies:
- SPF record with all authorised senders
- DKIM configured for each sending service
- DMARC record starting at
p=none, progressing top=reject
Use DMARC+ to manage and monitor all domains in one place. The Dashboard's Domain filter lets you see data for each domain independently.
Acquired company domains
When you acquire a company, their domain needs immediate attention:
- If they're still actively sending email: Audit their authentication setup and begin the DMARC progression
- If email is being migrated to your primary domain: Publish a restrictive DMARC, SPF, and MX record on the old domain once migration is complete
- If the domain is being retired: Publish null SPF (
-all), null MX, andp=rejectDMARC before the domain goes dark
Don't wait. An acquired domain with no DMARC and no active email monitoring is an active attack surface.
Domain inventory checklist
Before deploying DMARC organisation-wide, build a complete inventory:
| Domain | Purpose | Sends email? | DMARC status | Notes |
|---|---|---|---|---|
| yourcompany.com | Primary | Yes | p=reject |
|
| yourcompany.co.uk | Regional | Yes | In progress | |
| yourcompany.de | Regional | No | p=reject (parked) |
|
| old-brand.com | Retired acquisition | No | p=reject (parked) |
|
| marketing.yourcompany.com | Subdomain | Yes | Has own record | Mailchimp only |
Work through the list systematically. Start with your primary domain, then active secondary domains, then parked domains.