Everything You Need to Know About Using Subdomains for Email
You receive an email from noreply@info.amazon.com. Is that really Amazon? Or is it phishing? What about news@marketing.yourbank.com?
Subdomains are a normal, legitimate part of email infrastructure. But understanding when they are real and when they are fake is critical for both security and for setting up your own email correctly.
What is a subdomain?
A subdomain is a prefix added to a root domain:
| Type | Example | Root domain |
|---|---|---|
| Root domain | amazon.com | amazon.com |
| Subdomain | info.amazon.com | amazon.com |
| Subdomain | marketing.amazon.com | amazon.com |
| Subdomain | aws.amazon.com | amazon.com |
The key point: subdomains belong to whoever owns the root domain. Only Amazon can create anything.amazon.com. This is fundamentally different from lookalike domains like amazon-support.com — anyone can register that.
Why companies use subdomains for email
1. Reputation isolation
Smart email senders separate transactional email (order confirmations, password resets) from marketing email (newsletters, promotions) using different subdomains:
transactional.brand.com— High-priority, must always reach inboxmarketing.brand.com— Lower priority, acceptable if some goes to spam
If their marketing campaigns trigger spam complaints, the reputation damage affects only the marketing subdomain. Transactional email delivery is unaffected.
2. Authentication separation
Each subdomain can have its own SPF, DKIM, and DMARC configuration. This allows different teams or departments to manage their own email authentication independently.
3. ESP routing
Companies often use different Email Service Providers (ESPs) for different purposes: Mailchimp for newsletters, SendGrid for transactional, Amazon SES for system alerts. Each ESP uses a different subdomain for DKIM signing and SPF alignment.
Subdomain vs impersonation: how to tell the difference
This is the critical distinction for email security:
| Sender | Root domain | Verdict |
|---|---|---|
noreply@info.paypal.com | paypal.com | Legitimate subdomain of PayPal |
noreply@paypal-security.com | paypal-security.com | Impersonation — different root domain |
alert@news.chase.com | chase.com | Legitimate subdomain of Chase |
alert@chase-alerts.net | chase-alerts.net | Impersonation — different root domain |
update@mail.spotify.com | spotify.com | Legitimate subdomain of Spotify |
update@spotify-premium.xyz | spotify-premium.xyz | Impersonation — different root domain |
The rule is simple: extract the root domain (the last two parts before the TLD). If it matches the brand, the subdomain is legitimate. If the root domain is different, it is impersonation.
This is exactly how Cleanbox's AI spam classifier works — it understands that info.brand.com is the same entity as brand.com, while brand-support.com is not.
Should you use subdomains for your own email?
When subdomains make sense
- You send high-volume marketing AND transactional email — Separate reputations prevent marketing complaints from affecting receipts and password resets
- Multiple teams manage email independently — Each team gets their own subdomain with their own authentication
- You use multiple ESPs — Each ESP gets a subdomain for clean DKIM alignment
When subdomains are overkill
- Small business or freelancer — One domain with a few aliases is simpler and sufficient
- You only receive email (not send bulk) — Subdomains primarily benefit senders, not receivers
- Your volume is low — Reputation isolation matters at thousands of emails per day, not dozens
Subdomains in Cleanbox
When you add a custom domain to Cleanbox, you add the root domain (e.g., yourdomain.com). You can then create aliases on that domain: hello@yourdomain.com, support@yourdomain.com.
For most Cleanbox users, subdomains are not necessary because Cleanbox handles the inbound side (receiving and filtering), not the outbound side (sending marketing campaigns). Your outbound email goes through your mail provider or ESP, which manages subdomain configuration if needed.
If you use Relay to protect existing addresses on subdomains, each subdomain needs to be added as a separate domain in Cleanbox with its own MX records pointing to Cleanbox.
For the complete domain setup, see DNS configuration: MX, TXT, and SPF records.
