0

My domain configuration has one domain and three subdomains, one of which is identical to the mail server's hostname:

  • example.com
  • sales.example.com
  • internal.example.com
  • mail.example.com

I initially configured MX, SPF, DKIM and DMARC DNS records for all four domains, which works well.

But according to some DMARC tutorials, setting a DMARC policy for the base domain (with an sp tag) should cover all subdomains. When I rely on a single DMARC policy (for example.com), though, my mail provider's DMARC results refer to an undefined DMARC policy for subdomain mails. Why is the base domain's DMARC policy not used in this case?

I also tried to simplify the MX and SPF entries using wildcards:

*.example.com 3600 IN MX 10 mail.example.com
*.example.com 3600 IN TXT "v=spf1 mx -all"

but this leads to SPF fails. Why is that? Shouldn't the entries quoted above handle my existing subdomains?

2
  • 2
    Regarding the SPF wildcard question, have you read rfc-editor.org/rfc/rfc7208#section-3.5 on wildcard records?
    – glts
    Commented Mar 28 at 21:03
  • I read it now (thanks for the pointer), and understand that I should avoid wildcards if possible, and it is certainly possible in my simple setup. However, an answer to a similar question (serverfault.com/a/1129784/101389) recommends using wildcard SPF records to prevent subdomain spoofing, and this seems reasonable.
    – janeden
    Commented Mar 30 at 18:45

0

You must log in to answer this question.

Browse other questions tagged .