---
title: "How DMARC Manages Domains and Subdomains to Prevent Spoofing? | DuoCircle"
description: "Businesses are now being mindful of protecting their domains with SPF, DKIM, and DMARC, but what about the times when you send emails from your subdomains?"
image: "https://www.duocircle.com/images/og-default.png"
canonical: "https://www.duocircle.com/blog/dmarc/how-dmarc-manages-domains-and-subdomains-to-prevent-spoofing/"
---

Quick Answer

DMARC handles subdomains using a two-step DNS lookup. The receiving server first queries \_dmarc at the exact From-header domain (for example, \_dmarc.xyz.testing.com). If no record exists, it derives the organizational domain by trimming back to one label past the public suffix and queries \_dmarc there (for example, \_dmarc.testing.com). The first match wins; intermediate domains in the tree are ignored. The organizational-domain record applies its sp= tag to subdomains that have no DMARC record of their own. So a record at \_dmarc.testing.com covers finance@xyz.testing.com via the second lookup, but a record at \_dmarc.xyz.testing.com does not cover help@abc.xyz.testing.com because that intermediate level is never queried.

How DMARC Manages Domains and Subdomains to Prevent Spoofing?

Your browser does not support the audio element.

[ Download episode](https://media.mailhop.org/duocircle/images/2024/06/How-DMARC-Manages-Domains-And-Subdomains-To-Prevent-Spoofing.mp3) 

Share 

[ ](https://www.linkedin.com/sharing/share-offsite/?url=undefined%2Fblog%2Fdmarc%2Fhow-dmarc-manages-domains-and-subdomains-to-prevent-spoofing%2F "Share on LinkedIn") [ ](https://twitter.com/intent/tweet?text=How%20DMARC%20Manages%20Domains%20and%20Subdomains%20to%20Prevent%20Spoofing%3F&url=undefined%2Fblog%2Fdmarc%2Fhow-dmarc-manages-domains-and-subdomains-to-prevent-spoofing%2F "Share on X/Twitter") [ ](https://www.facebook.com/sharer/sharer.php?u=undefined%2Fblog%2Fdmarc%2Fhow-dmarc-manages-domains-and-subdomains-to-prevent-spoofing%2F "Share on Facebook") [ ](https://reddit.com/submit?url=undefined%2Fblog%2Fdmarc%2Fhow-dmarc-manages-domains-and-subdomains-to-prevent-spoofing%2F&title=How%20DMARC%20Manages%20Domains%20and%20Subdomains%20to%20Prevent%20Spoofing%3F "Share on Reddit") [ ](mailto:?subject=How%20DMARC%20Manages%20Domains%20and%20Subdomains%20to%20Prevent%20Spoofing%3F&body=Check out this article: undefined%2Fblog%2Fdmarc%2Fhow-dmarc-manages-domains-and-subdomains-to-prevent-spoofing%2F "Share via Email") 

![DMARC](https://media.mailhop.org/duocircle/images/2024/06/spf-record-generator.jpg) 

Businesses are now being mindful of protecting their domains with [SPF](/content/spf-record-check), [DKIM](/resources/what-is-dkim), and [DMARC](/email/dmarc), but what about the times when you send emails from your subdomains? As a domain owner or administrator, you create a DMARC record that instructs how email-receiving servers should evaluate incoming emails from your domain to check their legitimacy. This process flows smoothly when domains are included, but it gets a bit complicated with the **involvement of subdomains**.

To do this, a recipient’s mail server makes a query to retrieve the DMARC record. _Managing DMARC policies for both primary domains and subdomains from a **unified framework** simplifies policy enforcement and management._ This helps in ensuring that all email communications are authenticated in a consistent manner.

Read this blog to understand **how DMARC deals** with domains and [subdomains](/dmarc/what-is-the-dmarc-sp-tag-for-subdomains/) in senders’ email addresses. 

## How Recipients’ Mail Servers Query DMARC Records for Evaluating Emails’ Authenticity?

This is how the process unfolds-

- The recipient’s server searches for the DMARC record corresponding to the sender’s domain found in the [RFC5322 From address](https://dmarc.org/2016/07/how-many-from-addresses-are-there/).
- It makes a **maximum of two DNS requests** to find the corresponding [DNS record](/data-privacy/dns-record-types-defined-and-explained/).
- _When the sender’s email address has a subdomain in it for which **no policy is applied**, then it is subjected to the policy applied to the parent domain._ In the context of DMARC, a ‘**parent domain**‘ is the main domain, such as ‘testing.com, ‘and a ‘subdomain’ is a domain that is part of the main domain, such as ‘subdomain.testing.com ‘. In this case, the [DMARC policy](/resources/dmarc-policy) for any other domain in the tree is ignored.

Let’s **understand this better** through examples where the sending addresses are on the testing.com domain or its subdomains. 

### DMARC Record Subdomain Lookup

| From Address                                                | From Domain          | First DMARC Record Domain   |
| ----------------------------------------------------------- | -------------------- | --------------------------- |
| [employee@testing.com](mailto:employee@testing.com)         | testing.com          | \_dmarc.testing.com         |
| [finance@xyz.testing.com](mailto:finance@xyz.testing.com)   | xyz.testing.com      | \_dmarc.xyz.testing.com     |
| [help@abc.xyz.testing.com](mailto:help@abc.xyz.testing.com) | abc.xyz. testing.com | \_dmarc.abc.xyz.testing.com |

_This process stops if the recipient’s **server locates a DMARC record** corresponding to the testing.com domain in the first attempt_. It doesn’t generate more queries and the DMARC record is retrieved from DNS for the testing.com domain and is used for the authentication process. 

However, another attempt is made if no [DMARC record](/resources/create-dmarc-records) is found in the first query. DMARC introduces the **notion of the organizational domain** to determine the second location. 

To determine the organizational domain, the receiving server takes the **domain from the ‘From’ address**. Then, it checks the [public suffix list](https://www.publicsuffix.org/) for the largest suffix in the domain. For [TLDs](https://en.wikipedia.org/wiki/Top-level%5Fdomain) like .com and .edu, the suffix is the TLD itself. _Lastly, it retains **one label after the public suffix** and disards the rest._

See an example based on the above-

| Email Address                                               | Organizational Domain                       |
| ----------------------------------------------------------- | ------------------------------------------- |
| [finance@xyz.testing.com](mailto:finance@xyz.testing.com)   | testing.com                                 |
| [other@anothertesting.org](mailto:other@anothertesting.org) | anothertesting.org                          |
| [new@abc.help.co.uk](mailto:new@abc.help.co.uk)             | abc.help.co.uk (co.uk is the public suffix) |

Now, let’s see the above example again and figure out if the recipient’s mail server can make a second [DNS request](https://www.cloudns.net/wiki/article/254/) in each case. If yes, then **which domain** is going to get checked-

| From Address                                     | Organizational Domain | Checks (yes or no) | Second DMARC Record Check |
| ------------------------------------------------ | --------------------- | ------------------ | ------------------------- |
| employee@ testing.com                            | testing.com           | No                 | N/A                       |
| finance@xyz. testing.com                         | testing.com           | Yes                | \_dmarc.testing. com      |
| [help@abc.xyz](mailto:help@abc.xyz). testing.com | testing.com           | Yes                | \_dmarc.testing.com       |

### DMARC Record Second Lookup

In this second scenario, a second lookup is made on the presumption that **no record was found on the first lookup**. _So, when a DMARC record is defined on \_dmarc.testing.com, the policy of that DMARC record will be applied to the email._

[![DMARC](https://media.mailhop.org/duocircle/images/2024/06/cross-tenant-migration-office-365-1.jpg)](https://media.mailhop.org/duocircle/images/2024/06/cross-tenant-migration-office-365-1.jpg)

### DMARC Subdomain Lookup

This scenario is confusing because, in the second case, a second DNS query is made against the **\_dmarc.testing.com domain**. 

It’s important to note that although abc.xyz.testing.com is a subdomain of xyz.testing.com, there is no DMARC record lookup against \_dmarc.xyz.testing.com. Therefore, even if a DMARC record exists at \_dmarc.xyz.testing.com, it **will not apply to this message**.

## Fortify Phishing and Spoofing with DuoCircle

We at [DuoCircle](/) aim to simplify the process of understanding, deploying, and managing DMARC and its companions, SPF and DKIM, making them accessible for companies that don’t want to onboard extensive technical expertise. Our [DMARC reports](/resources/dmarc-aggregate-report) are not in the complex [XML language](https://www.techtarget.com/whatis/definition/XML-Extensible-Markup-Language); rather, **we create them in simple English** that anyone can understand; you don’t have to be a tech ninja.

[![email security issues](https://media.mailhop.org/duocircle/images/2024/06/SMTP-server-mail-6712.jpg)](https://media.mailhop.org/duocircle/images/2024/06/SMTP-server-mail-6712.jpg)

[Talk to us](/contact) and see how we offer **real-time monitoring and alerts**, allowing you and our team to collectively respond to potential [email security issues](https://www.forbes.com/sites/daveywinder/2024/04/04/critical-security-flaw-in-apple-icloud-google-gmail-microsoft-outlook-yahoo-mail-aol-mail-email/). Also, feel free to scroll through our [ebook](/phishing-protection-guide-best-practices-ebook) on **best email security practices** for small and medium businesses.

## Topics

DMARCemail securityUpdates 

![Brad Slavin](https://media.mailhop.org/dmarcreport/images/team/brad-slavin.jpg) 

Brad Slavin 

General Manager

General Manager at DuoCircle. Product strategy and commercial lead across the email security portfolio.

## Secure your email infrastructure

Protect, authenticate, and deliver. Contact our team to find the right solution.

[Contact Sales](/contact/) [Explore Products](/products/) 

## Related Articles

[  DMARC 5m  A Guide to Advancing DMARC Policies for Enhanced Email Deliverability  Jan 19, 2024 ](/blog/dmarc/a-guide-to-advancing-dmarc-policies-for-enhanced-email-deliverability/)[  DMARC 5m  How to check DMARC compliance for any domain  Jun 25, 2024 ](/blog/dmarc/a-guide-to-checking-dmarc-compliance/)[  DMARC 6m  A guide to detecting DMARC problems using the pentesting techniques  Oct 3, 2024 ](/blog/dmarc/a-guide-to-detecting-dmarc-problems-using-the-pentesting-techniques/)[  DMARC 8m  How to publish a DMARC record for your domain (with example)  Jun 12, 2024 ](/blog/dmarc/a-guide-to-publishing-dmarc-records-for-your-domain/)

```json
{"@context":"https://schema.org","@type":"Organization","name":"DuoCircle LLC","url":"https://www.duocircle.com","logo":{"@type":"ImageObject","url":"https://www.duocircle.com/images/duocircle-logo.png"},"description":"DuoCircle is a portfolio of specialized email products covering protection, authentication, delivery, and routing. We deliver about 90% of category-leader capability at roughly half the price, backed by experts who own the outcome. Trusted by 50,000+ organizations since 2014.","subOrganization":[{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897912","name":"Phish Protection","url":"https://www.phishprotection.com"}],"sameAs":["https://www.linkedin.com/company/duocircle","https://x.com/duocirclellc","https://www.facebook.com/duocirclellc","https://www.g2.com/products/phish-protection-by-duocircle/reviews","https://github.com/duocircle","https://www.crunchbase.com/organization/duocircle-llc"],"contactPoint":{"@type":"ContactPoint","contactType":"customer support","url":"https://support.duocircle.com"},"knowsAbout":["Email Security","Email Authentication","SPF","DKIM","DMARC","Phishing Protection","Spam Filtering","SMTP Relay","Email Deliverability","Email Forwarding"]}
```

```json
{"@context":"https://schema.org","@type":"WebSite","name":"DuoCircle LLC","url":"https://www.duocircle.com","description":"DuoCircle is a portfolio of specialized email products covering protection, authentication, delivery, and routing. We deliver about 90% of category-leader capability at roughly half the price, backed by experts who own the outcome. Trusted by 50,000+ organizations since 2014.","publisher":{"@type":"Organization","name":"DuoCircle LLC","url":"https://www.duocircle.com","logo":{"@type":"ImageObject","url":"https://www.duocircle.com/images/duocircle-logo.png"},"description":"DuoCircle is a portfolio of specialized email products covering protection, authentication, delivery, and routing. We deliver about 90% of category-leader capability at roughly half the price, backed by experts who own the outcome. Trusted by 50,000+ organizations since 2014.","subOrganization":[{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897912","name":"Phish Protection","url":"https://www.phishprotection.com"}]}}
```

```json
[{"@context":"https://schema.org","@type":"BlogPosting","headline":"How DMARC Manages Domains and Subdomains to Prevent Spoofing?","description":"Businesses are now being mindful of protecting their domains with SPF, DKIM, and DMARC, but what about the times when you send emails from your subdomains?","url":"https://www.duocircle.com/blog/dmarc/how-dmarc-manages-domains-and-subdomains-to-prevent-spoofing/","datePublished":"2024-06-05T18:49:20.000Z","dateModified":"2025-08-21T14:46:06.000Z","dateCreated":"2024-06-05T18:49:20.000Z","author":{"@type":"Person","@id":"https://www.duocircle.com/authors/brad-slavin/#person","name":"Brad Slavin","url":"https://www.duocircle.com/authors/brad-slavin/","jobTitle":"General Manager","description":"Brad Slavin runs DuoCircle, the company behind DMARC Report, AutoSPF, Phish Protection, and Mailhop. His focus is product strategy, customer relationships, and the commercial and compliance side of email authentication (DPAs, SLAs, enterprise procurement).","image":"https://media.mailhop.org/dmarcreport/images/team/brad-slavin.jpg","knowsAbout":["Email Security Strategy","SaaS Product Management","Enterprise Compliance","Customer Success","Email Deliverability Business"],"worksFor":{"@type":"Organization","name":"DuoCircle LLC","url":"https://www.duocircle.com"},"sameAs":["https://www.linkedin.com/in/bradslavin"]},"publisher":{"@type":"Organization","name":"DuoCircle LLC","url":"https://www.duocircle.com","logo":{"@type":"ImageObject","url":"https://www.duocircle.com/images/duocircle-logo.png"},"description":"DuoCircle is a portfolio of specialized email products covering protection, authentication, delivery, and routing. We deliver about 90% of category-leader capability at roughly half the price, backed by experts who own the outcome. Trusted by 50,000+ organizations since 2014.","subOrganization":[{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897912","name":"Phish Protection","url":"https://www.phishprotection.com"}]},"mainEntityOfPage":{"@type":"WebPage","@id":"https://www.duocircle.com/blog/dmarc/how-dmarc-manages-domains-and-subdomains-to-prevent-spoofing/"},"articleSection":"dmarc","keywords":"DMARC, email security, Updates","wordCount":735,"image":{"@type":"ImageObject","url":"https://media.mailhop.org/duocircle/images/2024/06/spf-record-generator.jpg","caption":"DMARC","width":900,"height":593},"speakable":{"@type":"SpeakableSpecification","cssSelector":[".answer-block","h1"]}},{"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"name":"Blog","item":"https://www.duocircle.com/blog/"},{"@type":"ListItem","position":2,"name":"DMARC"},{"@type":"ListItem","position":3,"name":"How DMARC Manages Domains and Subdomains to Prevent Spoofing?","item":"https://www.duocircle.com/blog/dmarc/how-dmarc-manages-domains-and-subdomains-to-prevent-spoofing/"}]}]
```

```json
{"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https://www.duocircle.com/"},{"@type":"ListItem","position":2,"name":"Blog","item":"https://www.duocircle.com/blog/"},{"@type":"ListItem","position":3,"name":"DMARC","item":"https://www.duocircle.comundefined"},{"@type":"ListItem","position":4,"name":"How DMARC Manages Domains and Subdomains to Prevent Spoofing?","item":"https://www.duocircle.com/blog/dmarc/how-dmarc-manages-domains-and-subdomains-to-prevent-spoofing/"}]}
```

```json
{"@context":"https://schema.org","@type":"BlogPosting","headline":"How DMARC Manages Domains and Subdomains to Prevent Spoofing?","description":"Businesses are now being mindful of protecting their domains with SPF, DKIM, and DMARC, but what about the times when you send emails from your subdomains?","url":"https://www.duocircle.com/blog/dmarc/how-dmarc-manages-domains-and-subdomains-to-prevent-spoofing/","datePublished":"2024-06-05T18:49:20.000Z","dateModified":"2025-08-21T14:46:06.000Z","dateCreated":"2024-06-05T18:49:20.000Z","author":{"@type":"Person","@id":"https://www.duocircle.com/authors/brad-slavin/#person","name":"Brad Slavin","url":"https://www.duocircle.com/authors/brad-slavin/","jobTitle":"General Manager","description":"Brad Slavin runs DuoCircle, the company behind DMARC Report, AutoSPF, Phish Protection, and Mailhop. His focus is product strategy, customer relationships, and the commercial and compliance side of email authentication (DPAs, SLAs, enterprise procurement).","image":"https://media.mailhop.org/dmarcreport/images/team/brad-slavin.jpg","knowsAbout":["Email Security Strategy","SaaS Product Management","Enterprise Compliance","Customer Success","Email Deliverability Business"],"worksFor":{"@type":"Organization","name":"DuoCircle LLC","url":"https://www.duocircle.com"},"sameAs":["https://www.linkedin.com/in/bradslavin"]},"publisher":{"@type":"Organization","name":"DuoCircle LLC","url":"https://www.duocircle.com","logo":{"@type":"ImageObject","url":"https://www.duocircle.com/images/duocircle-logo.png"},"description":"DuoCircle is a portfolio of specialized email products covering protection, authentication, delivery, and routing. We deliver about 90% of category-leader capability at roughly half the price, backed by experts who own the outcome. Trusted by 50,000+ organizations since 2014.","subOrganization":[{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897912","name":"Phish Protection","url":"https://www.phishprotection.com"}]},"mainEntityOfPage":{"@type":"WebPage","@id":"https://www.duocircle.com/blog/dmarc/how-dmarc-manages-domains-and-subdomains-to-prevent-spoofing/"},"articleSection":"dmarc","keywords":"DMARC, email security, Updates","wordCount":735,"image":{"@type":"ImageObject","url":"https://media.mailhop.org/duocircle/images/2024/06/spf-record-generator.jpg","caption":"DMARC","width":900,"height":593},"speakable":{"@type":"SpeakableSpecification","cssSelector":[".answer-block","h1"]}}
```