How does the DMARC sp tag affect subdomain policies?

Summary

The DMARC 'sp' tag is a key element for managing subdomain email policies. It enables domain owners to set specific DMARC policies for their subdomains, which can differ from the parent domain's policy set by the 'p' tag. If the 'sp' tag is not present, subdomains inherit the parent domain's 'p' tag policy. Setting 'sp=none' effectively disables DMARC protection for subdomains, while options like 'sp=reject' or 'sp=quarantine' enforce stricter policies, safeguarding against spoofing. Proper configuration, including consideration of the 'np' tag for non-existent subdomains, is vital for comprehensive domain security and deliverability. A common mistake is neglecting to properly set the 'sp' tag, leaving subdomains vulnerable.

Key findings

  • Policy Override: The 'sp' tag allows explicit DMARC policies for subdomains, overriding the parent domain's 'p' tag.
  • Inheritance: Subdomains inherit the 'p' tag if the 'sp' tag is absent.
  • Spoofing Protection: Setting 'sp=reject' or 'sp=quarantine' hardens subdomains against email spoofing.
  • No Tag Effect: If the 'sp' tag is set to 'none', subdomains are not protected by DMARC, irrespective of parent domain policy.
  • Unused Domains: For subdomains not sending mail, a DMARC record with an 'sp' tag set to reject or quarantine can prevent misuse.
  • Non-Existent Subdomains: The 'np' tag enables defining policies for domains which do not exist

Key considerations

  • Subdomain Structure: Understand the subdomain structure and assess the need for differing policies.
  • DMARC Setting: Define 'sp' policies that match the level of protection required for each set of subdomains.
  • Tag Combination: Explore using 'np=reject' with 'p=none' on parent domains to simplify management while improving overall domain security posture.
  • Continuous Monitoring: Monitor DMARC reports regularly to adjust and refine policies, ensuring optimal security and deliverability.
  • DMARC Alignment: Ensure correct setup of SPF and DKIM along with DMARC, with special attention paid to the 'sp' tag.

What email marketers say
12Marketer opinions

The DMARC 'sp' tag is a critical component for managing subdomain email policies. It allows domain owners to define specific DMARC policies for subdomains, overriding the parent domain's 'p' tag policy. If 'sp' is not defined, subdomains inherit the 'p' tag. Setting 'sp=none' effectively disables DMARC protection for subdomains, while 'sp=reject' or 'sp=quarantine' enforces stricter policies. Correct configuration of the 'sp' tag is vital to protect subdomains against spoofing and ensure secure email deliverability across the entire domain structure. Common mistakes, like neglecting the 'sp' tag, can leave subdomains vulnerable.

Key opinions

  • Policy Control: The 'sp' tag allows specific DMARC policies for subdomains, overriding the parent domain's 'p' tag.
  • Inheritance: Without the 'sp' tag, subdomains inherit the 'p' tag policy from the parent domain.
  • Security: Proper configuration of the 'sp' tag is crucial for protecting subdomains against email spoofing.
  • Default Behavior: If a subdomain lacks a DMARC record, it defaults to the 'sp' tag setting of the parent domain.
  • Bypass Effect: Setting the 'sp' tag to none can disable DMARC protection for subdomains.

Key considerations

  • Subdomain Usage: Organizations using subdomains must define an 'sp' policy to ensure consistent email security across their domain structure.
  • Policy Enforcement: Setting 'sp=reject' or 'sp=quarantine' enforces stricter policies on subdomains, preventing spoofing attempts.
  • SPF/DKIM Alignment: Ensure SPF and DKIM are correctly configured along with DMARC to achieve optimal email deliverability and security.
  • Monitoring: Regularly monitor DMARC reports to identify and address any email authentication issues, including those related to subdomains.
  • Error Prevention: Avoid common DMARC configuration mistakes, such as neglecting the 'sp' tag, which can leave subdomains vulnerable to spoofing.
Marketer view

Marketer from Email Geeks provides an example, illustrating how DMARC policies are applied based on the sp tag and subdomain records.

November 2021 - Email Geeks
Marketer view

Email marketer from EmailSecurityFAQ explains that DMARC 'sp' tag is a subdomain policy that allows for the creation of a DMARC rule that applies to any subdomains, this can allow a different policy for subdomains versus the primary domain.

March 2024 - EmailSecurityFAQ
Marketer view

Email marketer from AuthSMTP shares a reminder that SPF, DKIM and DMARC need to be setup correctly to ensure correct email sending, and to watch the 'sp' tag to ensure that it does not override your primary domain with the wrong settings.

August 2024 - AuthSMTP
Marketer view

Email marketer from URIports notes that the sp tag lets you define a specific DMARC policy for all subdomains of a domain. If a subdomain does not have a DMARC record, it will default to the sp tag setting of the main domain. It ensures control over email authentication across all parts of a domain structure.

February 2025 - URIports
Marketer view

Email marketer from Mailhardener shares that the p tag and sp tag define how to deal with unauthorized use of your domain, to ensure that your settings are configured correctly to handle spoofing or attacks.

January 2022 - Mailhardener
Marketer view

Email marketer from Stackoverflow shares that DMARC policy is inherited from the main domain to subdomains, but this inheritance can be modified with the 'sp' tag. Setting sp to 'reject' or 'quarantine' on the parent domain ensures those policies are enforced on subdomains without their own DMARC records.

July 2024 - Stackoverflow
Marketer view

Email marketer from Email Geeks shares advice to set the policy on the parent domain to p=none, but sp=reject if you’re being spoofed by a botnet on a bunch of random subdomains.

February 2023 - Email Geeks
Marketer view

Email marketer from MXToolbox explains a common DMARC mistake is not properly setting the 'sp' tag, which can lead to subdomains being vulnerable to spoofing. It's crucial to define an 'sp' policy, especially if the 'p' policy is set to 'none'.

February 2022 - MXToolbox
Marketer view

Email marketer from Valimail explains that the sp tag is crucial for controlling how DMARC policies are applied to subdomains. By using the sp tag to define a specific policy, you ensure that your subdomains are protected against email spoofing.

March 2025 - Valimail
Marketer view

Email marketer from EasyDMARC shares that the sp tag in DMARC is vital for organizations using subdomains. It allows you to set stricter DMARC policies on your subdomains than your primary domain, offering an extra layer of security.

November 2021 - EasyDMARC
Marketer view

Marketer from Email Geeks answers the question by explaining that p=none will be the policy for any subdomain that does not publish its own DMARC record.

March 2024 - Email Geeks
Marketer view

Email marketer from Reddit explains that when the sp tag is set to none it means that even if there is a DMARC policy, the subdomains policy will be set to none, which means no action will be taken even if the email fails authentication. The sp tag lets the owner of a domain specify what subdomains should do.

February 2025 - Reddit

What the experts say
4Expert opinions

The DMARC 'sp' tag governs how policies are applied to subdomains. When absent, subdomains inherit the parent domain's policy. Explicitly using the 'sp' tag allows for defining distinct policies for subdomains, offering granular control. For subdomains not sending mail, implementing DMARC records with appropriate policies can prevent spoofing. The 'np' tag can be used to define policies for non-existent subdomains. Setting 'p=none, sp=reject' helps manage spoofed emails across subdomains and simplifies DMARC setup.

Key opinions

  • Policy Inheritance: Without an 'sp' tag, subdomains inherit the parent domain's DMARC policy.
  • Granular Control: The 'sp' tag enables defining specific DMARC policies for individual subdomains.
  • Spoofing Prevention: Setting DMARC records with appropriate policies on unused subdomains prevents spoofing.
  • Non-Existent Subdomains: The 'np' tag allows defining policies for non-existent subdomains.
  • Practical Configuration: Using 'p=none, sp=reject' helps manage subdomain spoofing and simplifies DMARC implementation.

Key considerations

  • Policy Strategy: Decide whether to inherit the parent policy or define specific subdomain policies using the 'sp' tag based on organizational needs.
  • Subdomain Audit: Identify subdomains that are not used for sending mail and implement DMARC records to prevent spoofing.
  • NP Tag Use: Consider using the 'np' tag for non-existent subdomains to further enhance security and prevent misuse.
  • Testing and Monitoring: Regularly test and monitor DMARC configurations to ensure effectiveness and address any issues promptly.
  • DMARC Simplification: Explore configurations like 'p=none, sp=reject' to simplify DMARC implementation while maintaining essential security.
Expert view

Expert from Spam Resource answers that if your subdomains are not sending mail, set a DMARC record for them and set a policy so spammers can't send mail from those domains. You can do this at the DNS level.

March 2024 - Spam Resource
Expert view

Expert from Email Geeks shares that there’s also the np tag to define a policy for non existent domains. So if you’re p=none but don’t want folks to forge subdomains that don’t exist you can do p=none, np=reject.

January 2022 - Email Geeks
Expert view

Expert from Word to the Wise explains how to use p=none, and sp=reject to block spoofed emails from subdomains. This ensures non-existent subdomains are managed correctly, and helps get DMARC set up more easily.

May 2024 - Word to the Wise
Expert view

Expert from Email Geeks explains that if there's no sp tag, the policy is inherited, only use sp if you don’t want the policy inherited.

May 2022 - Email Geeks

What the documentation says
3Technical articles

The 'sp' tag in a DMARC record is used to define a specific policy for subdomains. If the 'sp' tag is absent, the policy defined by the 'p' tag applies to both the domain and its subdomains. The 'sp' tag allows domain owners to implement more restrictive DMARC policies for all subdomains. It is recommended to use the 'sp' tag to prevent abuse of subdomains.

Key findings

  • Subdomain Policy Definition: The 'sp' tag defines DMARC policy specifically for subdomains.
  • Inheritance Behavior: If 'sp' tag is missing, subdomains inherit the 'p' tag policy from the parent domain.
  • Restrictive Policies: The 'sp' tag facilitates implementation of stricter DMARC policies for subdomains.
  • Prevention of Abuse: Using the 'sp' tag helps prevent abuse of subdomains through email spoofing.

Key considerations

  • Subdomain Security: Evaluate whether subdomains require different or more restrictive policies than the main domain.
  • Policy Selection: Carefully consider the 'sp' tag options (none, quarantine, reject) to align with security and deliverability goals.
  • Tag Implementation: Implement the 'sp' tag in the DMARC record for appropriate subdomain policy enforcement.
  • Abuse Monitoring: Continuously monitor DMARC reports to identify and address any potential subdomain abuse.
Technical article

Documentation from DMARC.org explains that the 'sp' tag in a DMARC record defines the policy for subdomains of the domain in question. If the 'sp' tag is not present, the policy specified by the 'p' tag applies to both the domain and its subdomains. The 'sp' tag allows domain owners to specify a different policy for subdomains.

October 2022 - DMARC.org
Technical article

Documentation from Google Workspace Admin Help states that the 'sp' tag, or subdomain policy tag, lets you define a more restrictive DMARC policy for all subdomains. Without the sp tag subdomains inherit the p tag. This tag is optional, but recommended to prevent abuse of subdomains.

April 2023 - Google Workspace Admin Help
Technical article

Documentation from RFC 7489, the standard defining DMARC, specifies that the 'sp' tag indicates a requested policy to be enacted by a Mail Receiver when processing mail from subdomains of the Domain Owner's domain. If the “sp” tag is absent, the policy applies to the domain it is published on and all subdomains.

September 2022 - RFC Editor