How can I implement a DMARC reject policy for non-existent domains to prevent spam?

Summary

Implementing a DMARC reject policy for non-existent domains involves setting the 'sp=reject' tag in your DMARC record to instruct receiving mail servers to reject emails appearing to come from these subdomains, thereby preventing spam and domain spoofing. Proper SPF and DKIM configuration is essential to avoid blocking legitimate emails. Continuous monitoring of DMARC reports is also crucial for identifying authentication failures, refining your policy, and ensuring valid emails are not inadvertently blocked. There's consideration that very few TLDs respect `np` tags that automatically reject emails from non-existent domains, so waiting for DMARCbis may be necessary.

Key findings

  • DMARC 'sp=reject': The 'sp=reject' tag instructs receiving mail servers to reject emails from non-existent subdomains that fail DMARC checks.
  • SPF/DKIM Required: Correctly configured SPF and DKIM are essential for DMARC to function properly and prevent blocking legitimate emails.
  • DMARC Reports: Monitoring DMARC reports is crucial for identifying authentication failures, refining DMARC policies, and ensuring valid emails are not blocked.
  • Spoofing Protection: Implementing a DMARC reject policy significantly reduces the risk of domain spoofing.
  • DMARC Record Components: A complete DMARC record should include version, policy (including subdomain policy), and reporting address.
  • TXT Record: You need to publish a TXT record in your DNS with `v=DMARC1; p=reject; sp=reject;`

Key considerations

  • Monitor Reports: Continuously analyze DMARC reports to refine configurations and minimize the risk of blocking legitimate emails.
  • Proper Configuration: Ensure SPF and DKIM are correctly configured before enabling DMARC reject to avoid deliverability issues.
  • Test Configuration: Thoroughly test your DMARC configuration before implementing a reject policy to prevent unintended consequences.
  • Non-existent Domain Handling: There is an option to add an automatic reject, but needs to be added by the TLD operator using an `np` tag.
  • DMARCbis: Few TLDs respect `np` tags so waiting for DMARCbis which is under review may be necessary
  • ServerHold Domains: If a domain has a ServerHold, meaning the NS will not resolve, email providers should not accept the message if it does not have an MX or A record.

What email marketers say
12Marketer opinions

Implementing a DMARC reject policy for non-existent domains involves setting the 'sp=reject' tag in your DMARC record to instruct receiving mail servers to reject emails appearing to come from these subdomains. This helps prevent spam and unauthorized use of your domain. It's crucial to have properly configured SPF and DKIM, and to continuously monitor DMARC reports to avoid blocking legitimate emails due to misconfigurations.

Key opinions

  • DMARC 'sp=reject': Setting the 'sp=reject' tag in your DMARC record instructs receiving mail servers to reject emails from non-existent subdomains.
  • SPF/DKIM Required: Properly configured SPF and DKIM are essential for DMARC to function correctly and avoid blocking legitimate emails.
  • DMARC Reports: Monitoring DMARC reports is crucial for identifying authentication failures and potential spoofing attempts, allowing you to refine your DMARC policy.
  • TLD option needed: There is an option to add an automatic reject, but needs to be added by the TLD operator using an `np` tag.

Key considerations

  • Monitor Reports: Continuously analyze DMARC reports to refine your configuration and minimize the risk of blocking legitimate emails.
  • Testing: Test your DMARC configuration thoroughly before fully implementing the reject policy to prevent unintended consequences.
  • Proper Configuration: Ensure SPF and DKIM are correctly configured before enabling DMARC reject to avoid deliverability issues.
  • np tags: Very few TLDs use np tags which would reject emails from non-existent domains so it might be best to wait for DMARCbis
Marketer view

Marketer from Email Geeks explains that even though the domain has a ServerHold, meaning the NS will not resolve and you can't add any records, email providers should not accept the message since it will not have a working MX or A record.

November 2022 - Email Geeks
Marketer view

Email marketer from Multiplier explains that you should set the subdomain policy to reject, but only after carefully implementing SPF and DKIM. Further, that continuous monitoring is essential to ensure legitimate email is correctly identified.

September 2022 - Multiplier
Marketer view

Email marketer from EasyDMARC explains that to enforce a DMARC reject policy, you must set 'p=reject' in your DMARC DNS record, ensuring that unauthorized emails are rejected by recipient mail servers. It is also recommended to monitor your DMARC reports regularly.

December 2023 - EasyDMARC
Marketer view

Marketer from Email Geeks explains that there is an option to add an automatic reject, but needs to be added by the TLD operator; in this case, .fr would need to add an `np` tag which specifies the policies for non-existent domains.

September 2024 - Email Geeks
Marketer view

Email marketer from Valimail answers that to prevent spam from non-existent domains using DMARC, ensure your DMARC record includes 'p=reject' for the main domain and 'sp=reject' for subdomains. Also that it's important to monitor DMARC reports to avoid blocking legitimate emails.

January 2025 - Valimail
Marketer view

Email marketer from StackOverflow answers that a DMARC record with `sp=reject` instructs email receivers to reject messages from subdomains that don't have their own DMARC records, helping to prevent unauthorized use of your domain. It is important to thoroughly test your configuration.

August 2023 - StackOverflow
Marketer view

Marketer from Email Geeks shares that because it's not sure who actually respects np tags right now, we might need to wait for DMARCbis.

May 2022 - Email Geeks
Marketer view

Email marketer from Postmark explains implementing a DMARC reject policy involves publishing a DMARC record with the `p=reject` tag and the `sp=reject` tag. Also, continuously analyzing DMARC reports allows for refinements and helps minimize the risk of blocking legitimate emails.

July 2022 - Postmark
Marketer view

Email marketer from Reddit shares their experience to say that after setting 'p=reject' and 'sp=reject', they saw a significant decrease in spam using their domain. However, it's crucial to monitor DMARC reports to prevent blocking legitimate emails due to misconfigurations.

February 2025 - Reddit
Marketer view

Email marketer from DMARC Analyzer explains that the "sp" tag in DMARC allows you to set a specific policy for subdomains. Setting 'sp=reject' tells receiving mail servers to reject emails appearing to come from non-existent subdomains.

January 2023 - DMARC Analyzer
Marketer view

Email marketer from Mailhardener details that to protect subdomains, especially non-existent ones, set the 'sp' tag to 'reject' in your DMARC record. This instructs receiving servers to reject emails claiming to be from these subdomains if they fail DMARC checks.

June 2021 - Mailhardener
Marketer view

Email marketer from EmailSecurityForum answers that to enforce a DMARC reject policy, you need to publish a TXT record in your DNS with `v=DMARC1; p=reject; sp=reject;`, and ensure SPF and DKIM are properly configured. Monitor DMARC reports to adjust the configuration as needed.

September 2024 - EmailSecurityForum

What the experts say
5Expert opinions

Implementing a DMARC reject policy requires correctly configured SPF and DKIM to prevent legitimate emails from being blocked. Monitoring DMARC reports is crucial for addressing authentication issues and refining the policy. The 'p=reject' tag tells email providers to reject unauthenticated emails.

Key opinions

  • SPF/DKIM: Correctly configured SPF and DKIM are essential to prevent blocking legitimate emails.
  • DMARC Reports: Monitoring DMARC reports is crucial for identifying authentication failures and refining the DMARC policy.
  • DMARC 'p=reject': The 'p=reject' tag instructs email providers to reject unauthenticated emails.

Key considerations

  • Monitoring: Diligently monitor DMARC reports to address issues and refine your DMARC policy.
  • Best Guess SPF: Best guess SPF is outdated and should be avoided.
  • DMARCbis: DMARCbis is under review and may offer improvements or changes to the current DMARC standards.
Expert view

Expert from Email Geeks shares that best guess SPF was a good idea at one point, not it needs to go away.

June 2024 - Email Geeks
Expert view

Expert from Word to the Wise explains that when implementing DMARC, particularly the reject policy, it's essential to ensure SPF and DKIM are correctly configured to avoid blocking legitimate emails. Monitoring DMARC reports is also crucial for identifying and addressing any authentication issues before fully enforcing the reject policy.

February 2023 - Word to the Wise
Expert view

Expert from Spamresource answers that one aspect of DMARC is that you can create a policy with the "p=" tag. The options are none, quarantine, or reject. The reject tag tells email providers to not accept unauthenticated emails as well as put them in the spam folder.

August 2022 - Spamresource
Expert view

Expert from Word to the Wise answers that it's essential to monitor DMARC reports diligently, as these reports provide insights into email authentication failures and potential spoofing attempts, helping you refine your DMARC policy and ensure legitimate emails are not inadvertently blocked.

February 2025 - Word to the Wise
Expert view

Expert from Email Geeks responds that it's in final call and most of the work was done. Further that the protocol questions are answered and it's on the AD's desk for review.

January 2024 - Email Geeks

What the documentation says
5Technical articles

Implementing a DMARC reject policy for non-existent subdomains involves using the 'sp=reject' tag in the DMARC record. This instructs recipient servers to refuse unauthenticated emails from those subdomains, reducing the risk of domain spoofing. It's crucial to monitor DMARC reports to identify legitimate email sources before full implementation.

Key findings

  • DMARC 'sp=reject' Tag: The 'sp=reject' tag is used to instruct receiving mail servers to reject emails from non-existent subdomains that fail DMARC authentication.
  • Spoofing Reduction: Implementing a DMARC reject policy significantly reduces the risk of domain spoofing.
  • DMARC Reports: Monitoring DMARC reports is essential for identifying legitimate email sources and preventing the blocking of valid emails.
  • Complete DMARC Record: A complete DMARC record should include version, policy (including subdomain policy), and reporting address.

Key considerations

  • Monitor Reports: Carefully monitor DMARC reports to identify and address any authentication issues before fully enforcing the 'reject' policy.
  • Prevent Abuse: Setting the subdomain policy to 'reject' prevents abuse from non-existent subdomains.
  • Protect Subdomains: Using DMARC with 'sp=reject' helps protect subdomains from spoofing by ensuring that only properly aligned emails are accepted.
Technical article

Documentation from RFC Editor specifies that a DMARC policy can include instructions for handling messages from non-existent subdomains, using the "sp" tag with a value of "reject" to indicate that such messages should be rejected.

March 2023 - RFC Editor
Technical article

Documentation from Google Workspace Admin Help details that subdomain policy is configured using the `sp` tag, and specifies that setting `sp=reject` tells receiving mail servers to reject messages from subdomains that don't align with your DMARC policies, thereby protecting those subdomains from spoofing.

October 2024 - Google
Technical article

Documentation from AuthSMTP details that a complete DMARC record should include version, policy, and reporting address, and recommends setting the subdomain policy (sp) to 'reject' to prevent abuse from non-existent subdomains.

June 2022 - AuthSMTP
Technical article

Documentation from DMARC.org FAQ explains the 'sp' tag allows for defining a specific DMARC policy for all subdomains. It says that setting 'sp=reject' instructs recipient mail servers to reject any messages from subdomains that fail DMARC authentication, assisting in protecting against unauthorized use of your domain.

May 2023 - DMARC.org
Technical article

Documentation from Proofpoint details that implementing a DMARC reject policy, including for non-existent subdomains, significantly reduces the risk of domain spoofing by instructing recipient servers to refuse unauthenticated emails. They suggest carefully monitoring DMARC reports to identify legitimate email sources before fully implementing 'p=reject' or 'sp=reject'.

May 2021 - Proofpoint