DMARC sp Tag Exceptions & Uses
The "sp" tag is short for subdomain policy. It lets a domain specify a different DMARC policy for its subdomains than the one applied to the organizational domain itself.
By default, if you omit the sp tag, your subdomains simply inherit the policy set in the p tag. Including sp lets you override that inheritance for existing subdomains. It is worth remembering that subdomain policy is evaluated against the organizational domain's published record, so the relationship between p and sp is what determines how a subdomain's mail is handled.
If a subdomain publishes its own explicit DMARC record, that record takes precedence over the parent's policy for that subdomain, even if the subdomain's own record is just p=none. In the absence of a record on the subdomain, the parent's sp value (or, if sp is absent, the parent's p value) applies.
A key companion: the np tag
RFC 9989 introduced the np tag, which sets the policy for non-existent subdomains, meaning subdomain names that do not resolve in DNS at all. This matters because sp only governs subdomains that exist. Attackers frequently forge mail from random, never-registered subdomains (for example, marketing-promo.yourdomain.com),and sp does not cover those. The np tag closes that gap. If np is absent, processing falls back to sp, and if sp is also absent, to p.
For domains that want the strongest subdomain protection, publishing sp=reject and np=reject (where appropriate for your mail flows) protects both your existing subdomains and any non-existent ones from being used in impersonation.
Why do you need the sp (and np) tags?
If your DMARC record is:
v=DMARC1; p=reject; sp=none; rua=mailto:[email protected];
Then your root domain is protected, but your subdomains, even ones you never use to send mail, remain vulnerable to impersonation, because sp=none tells receivers not to enforce on them.
If your record is:
v=DMARC1; p=none; sp=reject; rua=mailto:[email protected];
Then you are not yet enforcing on the root domain you use for sending, but your unused subdomains are protected against impersonation.
To also protect non-existent subdomains, you can add np:
v=DMARC1; p=none; sp=reject; np=reject; rua=mailto:[email protected];
If you want your subdomain policy to match your root domain policy, you can simply leave the sp tag out, and your subdomains will inherit the policy set in p.
If you are using a DMARC record generator, you typically need to enable the subdomain policy option and choose your desired sp (and, where supported, np) value, as shown below.
Standard Email Protocols: SMTP, POP3 & IMAP Free4 m- What is Email Security? Free4 m
- Email Security Practices Free4 m
- Building an Email Security Compliance Model Free5 m
- Corporate Email Security Checklist Free3 m 30 s
- What is the difference between Inbound email security and outbound email security? Free4 m
- What is Information Security? Free4 m
- Zero Trust Security Model Free3 m
- What is a DNS Lookup? Free4 m
- Understanding the 10 DNS Lookup Limit for SPF Records Free3 m
- SPF Void Lookups Explained Free2 m
- Creating and Optimizing SPF records for your own domain Free4 m
Video Free2 m- What is SPF Permerror and How to Fix It Free7 m
- Video Free2 m
- SPF Flattening Free5 m
- SPF Macros Free9 m
- Video Free2 m
- What is SPF Alignment? Free3 m
- How to Set Up Microsoft Office 365 SPF record? Free4 m
- How to Set Up Google Workspace SPF Record? Free2 m
- How to Set Up MailChimp SPF Record? Free3 m
- How to Set Up SendGrid SPF Record? Free2 m
- How to Set Up Salesforce SPF Record? Free3 m
- How to Setup Zoho Mail SPF Record? Free2 m
- What is DKIM Alignment? Free3 m
- DKIM Domain Alignment Failures Free6 m
- How to Set Up DKIM for Microsoft Office 365? Free4 m
- How to Set Up DKIM for Google Workspace? Free3 m
- How to Set Up DKIM for MailChimp? Free4 m
- How to Set Up DKIM for SendGrid? Free3 m
- How to Set Up DKIM for Salesforce? Free3 m
- How to Set Up DKIM for Zoho Mail? Free3 m
- DMARC RFC 9989, 9990 and 9991 Free5 m
- What is DMARC Compliance? Free2 m
- DMARC Compliance Requirements Free2 m
- The Benefits of DMARC Free2 m
- DMARC Configuring Free3 m
- Achieving DMARC Enforcement Free2 m
- DMARC Vs Antispam Solutions Free2 m
- DMARC Identifier Alignment Free2 m
- DMARC sp Tag Exceptions & Uses Free1 m
- Configuring DMARC without DKIM Free3 m
- Configuring DMARC without SPF Free2 m
- DMARC Aggregate Report Views Free3 m
- Video - PowerDMARC Aggregate Reports Free2 m 13 s
- DMARC Forensic Report Views Free2 m
- Video - PowerDMARC Forensic Reports Free0 s
- DMARC Forensic PGP Encryption and Decryption Free2 m
- TLS Report Views Free3 m
- Video - PowerDMARC TLS Reports Free0 s
- PDF/CSV Reports Free2 m
- Video - PowerDMARC PDF/CSV Reports Free1 m 1 s