SOBOO: Full Subdomain Delegation
This article expands on the “full delegation” approach described in the larger How to send DMARC-compliant email on behalf of others article. An assumption is that the reader is sending email on behalf of others, and desires to send such email in a manner compliant with DMARC.
Full delegation is when a domain owner configures one of their subdomains to point to your own name servers. By doing so, any DNS-based questions about the subdomain (or any subdomains of the subdomain!) will be referred to your own name servers for resolution.
Additional explanations and examples of delegation:
- A ServerFault answer to What is a DNS delegation?
- Microsoft’s Understanding Zone Delegation
- DNS Made Easy’s tutorial on how to Create and Delegate a Subdomain
To accept delegation and manage the subdomain, you must operate your own name servers. When in place, you can configure your name servers to respond to any DNS-based questions related to the subdomain.
This allows you to:
- Send email using the domain-owner/customer’s top-level domain in email From: headers. The delegated subdomain provides DMARC-compliant authentication using SPF and DKIM when DMARC’s default “alignment mode” of “relaxed” is used.
- Maintain email infrastructure using the subdomain. You can send and receive email using the subdomain by using the subdomain in RFC5321.MailFrom addresses (also known as bounce/return-path/envelope addresses) and by publishing MX records for the sub-domain (so that people on the internet know where to send email that is destined for the sub-domain).
- By directly managing the subdomain, you can publish and maintain a concise and accurate SPF record for the subdomain that only authorizes servers that you control. You will avoid having to deal with other people’s SPF records and the resulting confusion.
- By directly managing the subdomain, you can manage DKIM signing however you wish. You can create as many DKIM signing keys as needed, rotate them as you see fit, and avoid having to figure out how to communicate/manage keys with your customer/domain owner.
- You can even give your own IP addresses server names using the delegated subdomain, so that every piece of email send by you on behalf of the domain owner/customer is thoroughly “white labeled.”
This form of delegation benefits the domain owner/customer as it is very easy to set up, no further configuration is necessary, and maintenance of delegated subdomains is easily managed.
This form of delegation benefits you—the one sending email on behalf of others—by giving you full control over how you send email and maintain your infrastructure. If you move servers, rotate DKIM keys, or swap out infrastructure, the domain-owner (your customer) doesn’t have to change anything.
If you have questions/comments, feel free to drop us a line at email@example.com.
We’re Here to Help
With a team of email security experts and a mission of making email and the internet more trustworthy through domain security, dmarcian is here to help assess an organization’s domain catalog and implement and manage DMARC for the long haul.
Want to continue the conversation? Head over to the dmarcian Forum.