Summary
Implementing a DMARC reject policy for non-existent domains involves setting the 'sp=reject' tag in your DMARC record to instruct receiving mail servers to reject emails appearing to come from these subdomains, thereby preventing spam and domain spoofing. Proper SPF and DKIM configuration is essential to avoid blocking legitimate emails. Continuous monitoring of DMARC reports is also crucial for identifying authentication failures, refining your policy, and ensuring valid emails are not inadvertently blocked. There's consideration that very few TLDs respect `np` tags that automatically reject emails from non-existent domains, so waiting for DMARCbis may be necessary.
Key findings
- DMARC 'sp=reject': The 'sp=reject' tag instructs receiving mail servers to reject emails from non-existent subdomains that fail DMARC checks.
- SPF/DKIM Required: Correctly configured SPF and DKIM are essential for DMARC to function properly and prevent blocking legitimate emails.
- DMARC Reports: Monitoring DMARC reports is crucial for identifying authentication failures, refining DMARC policies, and ensuring valid emails are not blocked.
- Spoofing Protection: Implementing a DMARC reject policy significantly reduces the risk of domain spoofing.
- DMARC Record Components: A complete DMARC record should include version, policy (including subdomain policy), and reporting address.
- TXT Record: You need to publish a TXT record in your DNS with `v=DMARC1; p=reject; sp=reject;`
Key considerations
- Monitor Reports: Continuously analyze DMARC reports to refine configurations and minimize the risk of blocking legitimate emails.
- Proper Configuration: Ensure SPF and DKIM are correctly configured before enabling DMARC reject to avoid deliverability issues.
- Test Configuration: Thoroughly test your DMARC configuration before implementing a reject policy to prevent unintended consequences.
- Non-existent Domain Handling: There is an option to add an automatic reject, but needs to be added by the TLD operator using an `np` tag.
- DMARCbis: Few TLDs respect `np` tags so waiting for DMARCbis which is under review may be necessary
- ServerHold Domains: If a domain has a ServerHold, meaning the NS will not resolve, email providers should not accept the message if it does not have an MX or A record.
What email marketers say
12 marketer opinions
Implementing a DMARC reject policy for non-existent domains involves setting the 'sp=reject' tag in your DMARC record to instruct receiving mail servers to reject emails appearing to come from these subdomains. This helps prevent spam and unauthorized use of your domain. It's crucial to have properly configured SPF and DKIM, and to continuously monitor DMARC reports to avoid blocking legitimate emails due to misconfigurations.
Key opinions
- DMARC 'sp=reject': Setting the 'sp=reject' tag in your DMARC record instructs receiving mail servers to reject emails from non-existent subdomains.
- SPF/DKIM Required: Properly configured SPF and DKIM are essential for DMARC to function correctly and avoid blocking legitimate emails.
- DMARC Reports: Monitoring DMARC reports is crucial for identifying authentication failures and potential spoofing attempts, allowing you to refine your DMARC policy.
- TLD option needed: There is an option to add an automatic reject, but needs to be added by the TLD operator using an `np` tag.
Key considerations
- Monitor Reports: Continuously analyze DMARC reports to refine your configuration and minimize the risk of blocking legitimate emails.
- Testing: Test your DMARC configuration thoroughly before fully implementing the reject policy to prevent unintended consequences.
- Proper Configuration: Ensure SPF and DKIM are correctly configured before enabling DMARC reject to avoid deliverability issues.
- np tags: Very few TLDs use np tags which would reject emails from non-existent domains so it might be best to wait for DMARCbis
Marketer view
Marketer from Email Geeks explains that even though the domain has a ServerHold, meaning the NS will not resolve and you can't add any records, email providers should not accept the message since it will not have a working MX or A record.
19 Feb 2025 - Email Geeks
Marketer view
Email marketer from Multiplier explains that you should set the subdomain policy to reject, but only after carefully implementing SPF and DKIM. Further, that continuous monitoring is essential to ensure legitimate email is correctly identified.
23 Mar 2022 - Multiplier
What the experts say
5 expert opinions
Implementing a DMARC reject policy requires correctly configured SPF and DKIM to prevent legitimate emails from being blocked. Monitoring DMARC reports is crucial for addressing authentication issues and refining the policy. The 'p=reject' tag tells email providers to reject unauthenticated emails.
Key opinions
- SPF/DKIM: Correctly configured SPF and DKIM are essential to prevent blocking legitimate emails.
- DMARC Reports: Monitoring DMARC reports is crucial for identifying authentication failures and refining the DMARC policy.
- DMARC 'p=reject': The 'p=reject' tag instructs email providers to reject unauthenticated emails.
Key considerations
- Monitoring: Diligently monitor DMARC reports to address issues and refine your DMARC policy.
- Best Guess SPF: Best guess SPF is outdated and should be avoided.
- DMARCbis: DMARCbis is under review and may offer improvements or changes to the current DMARC standards.
Expert view
Expert from Email Geeks shares that best guess SPF was a good idea at one point, not it needs to go away.
30 Sep 2023 - Email Geeks
Expert view
Expert from Word to the Wise explains that when implementing DMARC, particularly the reject policy, it's essential to ensure SPF and DKIM are correctly configured to avoid blocking legitimate emails. Monitoring DMARC reports is also crucial for identifying and addressing any authentication issues before fully enforcing the reject policy.
20 Jul 2023 - Word to the Wise
What the documentation says
5 technical articles
Implementing a DMARC reject policy for non-existent subdomains involves using the 'sp=reject' tag in the DMARC record. This instructs recipient servers to refuse unauthenticated emails from those subdomains, reducing the risk of domain spoofing. It's crucial to monitor DMARC reports to identify legitimate email sources before full implementation.
Key findings
- DMARC 'sp=reject' Tag: The 'sp=reject' tag is used to instruct receiving mail servers to reject emails from non-existent subdomains that fail DMARC authentication.
- Spoofing Reduction: Implementing a DMARC reject policy significantly reduces the risk of domain spoofing.
- DMARC Reports: Monitoring DMARC reports is essential for identifying legitimate email sources and preventing the blocking of valid emails.
- Complete DMARC Record: A complete DMARC record should include version, policy (including subdomain policy), and reporting address.
Key considerations
- Monitor Reports: Carefully monitor DMARC reports to identify and address any authentication issues before fully enforcing the 'reject' policy.
- Prevent Abuse: Setting the subdomain policy to 'reject' prevents abuse from non-existent subdomains.
- Protect Subdomains: Using DMARC with 'sp=reject' helps protect subdomains from spoofing by ensuring that only properly aligned emails are accepted.
Technical article
Documentation from RFC Editor specifies that a DMARC policy can include instructions for handling messages from non-existent subdomains, using the "sp" tag with a value of "reject" to indicate that such messages should be rejected.
19 Sep 2021 - RFC Editor
Technical article
Documentation from Google Workspace Admin Help details that subdomain policy is configured using the `sp` tag, and specifies that setting `sp=reject` tells receiving mail servers to reject messages from subdomains that don't align with your DMARC policies, thereby protecting those subdomains from spoofing.
5 May 2024 - Google
Can I set DMARC to reject if my domain doesn't send email?
Do DMARC rejections negatively impact IP or domain reputation at Gmail and Yahoo?
Does DMARC guarantee emails will not be flagged as spam?
Does implementing DMARC improve email deliverability and is DMARC p=none policy useful?
How can I use DMARC to prevent spammers from using my domain?
How do DMARC policies and RUA/RUF settings inherit or override each other between a domain and its subdomains?
How do DMARC quarantine and reject policies affect sender reputation and email delivery?
How do I properly set up DMARC records and reporting for email authentication?
What DMARC policy settings are required for BIMI and how do I determine the best setting for sp=?
