What Is a Subdomain? (And How to Keep It Secure)

TL;DR: A subdomain is a prefix added to your domain — blog.example.com, shop.example.com, mail.example.com — that you can point wherever you like. They're free and useful, but each one is a door into your brand, so they need the same security attention as your main domain. Scan your domain free to check your setup.

How subdomains work

You create a subdomain in DNS with an A record (to an IP) or a CNAME (to another host). So shop.example.com might point to your e-commerce platform while example.com serves your main site. You don't buy them separately — they're part of the domain you already own.

Common uses

• www — the classic web prefix.
• blog, shop, app — separate services or platforms.
• mail, m, staging, dev — mail, mobile, and test environments.

The security risks to watch

• Subdomain takeover: a subdomain pointing (via CNAME) at a service you no longer use can be hijacked by an attacker and used for phishing on your brand.
• Spoofing via subdomains: set a DMARC subdomain policy (sp=) so attackers can't send as billing.example.com even if you only protect the root.
• Forgotten staging/dev sites left public and unpatched.

How to keep subdomains secure

1. Remove DNS records for subdomains and services you no longer use (delete the record before tearing down the service).
2. Apply a DMARC sp=reject for non-sending subdomains.
3. Keep staging/dev environments private and patched.
4. Scan your domain — we flag wildcard/catch-all DNS, the signal that subdomains are hard to inventory.

FAQ

Do subdomains cost extra?

No — they're included with your domain. You can create as many as you need.

Does my SSL certificate cover subdomains?

Only if it's a wildcard certificate or lists each subdomain. A normal certificate covers just the names on it.

Can a subdomain be used to attack my main site?

Potentially — a hijacked subdomain can host phishing under your brand and, in some setups, abuse shared cookies. That's why DNS hygiene matters.

Not sure what's lurking in your subdomains? Scan your domain, then reply to your report — we're developers and we'll audit and lock them down for you.