DMARC sp Tag Exceptions & Uses
The “sp” attribute is short for subdomain policy and is not currently a widely used attribute. It allows a domain to specify that a different DMARC record should be used for subdomains of the specified DNS domain.
To keep things simple, it is recommended that the ‘sp’ attribute be omitted from the organizational domain itself. This will lead to a fallback default policy that prevents spoofing on subdomains. It is important to remember that subdomain behavior is always determined by the overriding organizational policy.
Subdomains inherit the parent domain’s policy unless explicitly overruled by a subdomain policy record. The ‘sp’ attribute can override this inheritance.
If a subdomain has an explicit DMARC record, this record will take precedence over the DMARC policy for the parent domain, even if the subdomain uses the default setting of p=none. For example, if a DMARC policy is defined for priority ‘all’, the ‘sp’ element will influence DMARC processing on subdomains not covered by any specific policy.
Why do you need the DMARC sp tag?
If you have your DMARC record as:
v=DMARC1; p=reject; sp=none; rua=mailto:[email protected];
In this case, while your root domain is protected against spoofing attacks, your subdomains even if you don’t use them to exchange information would still be vulnerable to impersonation attacks.
If you have your DMARC record as:
v=DMARC1; p=none; sp=reject; rua=mailto:[email protected];
In this case, while you are not committing to a reject policy on the root domain that you use to send your emails, your inactive subdomains are still protected against impersonation.
If you want your domain and subdomain policies to be the same, you can leave the sp tag criterion blank or disabled while creating a record, and your subdomains would automatically inherit the policy levied on the main domain.
In case you are using a DMARC record generator tool for creating a DMARC record for your domain, you need to manually enable the subdomain policy button and define your desired policy, like shows below:
Standard Email Protocols: SMTP, POP3 & IMAP Free4 m- What is Email Security? Free4 m
- Email Security Practices Free4 m
- Building an Email Security Compliance Model Free5 m
- Corporate Email Security Checklist Free3 m 30 s
- What is the difference between Inbound email security and outbound email security? Free4 m
- What is Information Security? Free4 m
- Zero Trust Security Model Free3 m
- What is SPF Alignment? Free3 m
- How to Set Up Microsoft Office 365 SPF record? Free4 m
- How to Set Up Google Workspace SPF Record? Free2 m
- How to Set Up MailChimp SPF Record? Free3 m
- How to Set Up SendGrid SPF Record? Free2 m
- How to Set Up Salesforce SPF Record? Free3 m
- How to Setup Zoho Mail SPF Record? Free2 m
- What is DMARC Compliance? Free2 m
- The Benefits of DMARC Free2 m
- DMARC Configuring Free3 m
- Achieving DMARC Enforcement Free2 m
- DMARC Vs Antispam Solutions Free2 m
- DMARC Identifier Alignment Free2 m
- DMARC sp Tag Exceptions & Uses Free1 m
- Configuring DMARC without DKIM Free3 m
- Configuring DMARC without SPF Free2 m
- DMARC Aggregate Report Views Free3 m
Video - PowerDMARC Aggregate Reports Free2 m 13 s- DMARC Forensic Report Views Free2 m
- Video - PowerDMARC Forensic Reports Free
- DMARC Forensic PGP Encryption and Decryption Free2 m
- TLS Report Views Free3 m
- Video - PowerDMARC TLS Reports Free
- PDF/CSV Reports Free2 m
- Video - PowerDMARC PDF/CSV Reports Free1 m 1 s