How does authentication alignment change after subdomain setup?
Authentication for subdomains:
SPF:
Can use same mechanisms if sending from same IPs
Or create subdomain-specific SPF
Both work, subdomain-specific is cleaner
DKIM:
Need DKIM selector for subdomain
ESP usually provides subdomain-specific keys
Sign with d= matching From domain
DMARC:
DMARC at root domain covers subdomains (sp= policy)
Or create subdomain-specific DMARC
Alignment must match From header domain
Alignment rules:
If From is marketing.tidalmail.com, DKIM d= or SPF Return-Path must align
Relaxed alignment allows organizational domain match
Strict alignment requires exact match
Each division needs its own credentials that match its identity.
Was this answer helpful?
Thanks for your feedback!