the Bento growth platform

Should I Use Subdomains For Sending Email?

Thoughts by Jesse Hanley • Founder Bento

During the onboarding process for our customers, regardless of their size, we strive to ensure that each one receives the best deliverability advice possible.

One key piece of advice we offer is to encourage our users to send emails via a subdomain rather than their root or apex domain. In other words, use @mail.example.com instead of @example.com.

Why is this important?

Since the beginning of 2024, we've observed a significant increase in a phenomenon known as "list bombing". This is an attack where users upload a large list of emails through unsecured forms with the intent to spam them. The usual objective is to overwhelm an inbox to conceal password resets or to exploit vulnerabilities to get a scam offer into a user's inbox for free, like this one:

CleanShot 2024-03-13 at 15.09.39@2x

If you fall victim to such an attack, you could find your emails landing in spam, or worse, your domain could be blacklisted and take ages to get delisted.

By sending different types of emails via different subdomains, we can mitigate many of these risks.

For instance, just last week, one of our customers had a form spammed with over a million emails. Our platform automatically detected this and stopped sending, but unfortunately, their other email provider that they used for transactional emails did not, and they found themselves on a blacklist for their primary domain, causing significant issues.

Had that user separated their different email streams across different subdomains, such as @transactional.example.com for their transactional emails on the other provider and @marketing.example.com for their newsletter and automations on Bento, they could have potentially isolated their issue to just one email stream.

In such a scenario, the customer could simply halt the attack, switch to a different subdomain/provider, and continue doing business as usual.

An important note: only rotate the domain/subdomain once you have confirmed the attack has stopped. Incorrectly doing this could blacklist the entire domain. Additionally, you may need to gradually warm up this new subdomain as it'll have a fresh reputation with inbox providers.

Need ideas for the types of subdomains you should use? Here are some suggestions!

Transactional Emails notifications.example.com orders.example.com auth.example.com

Marketing Emails updates.example.com newsletter.example.com changelog.example.com

Finally, once you have the above setup and all your SPF/DKIM records added, we recommend setting up a global catch-all for email replies. This ensures that when customers reply to these emails, their responses find their way to a support inbox for your team to respond to. Most hosting providers haave an easy way to set this up, so you can do it in a few minutes.

We hope this advice helps safeguard your email deliverability in the future!

As always, if you have any questions, please ask in our Discord.