Summary
The DMARC 'sp' tag is a key element for managing subdomain email policies. It enables domain owners to set specific DMARC policies for their subdomains, which can differ from the parent domain's policy set by the 'p' tag. If the 'sp' tag is not present, subdomains inherit the parent domain's 'p' tag policy. Setting 'sp=none' effectively disables DMARC protection for subdomains, while options like 'sp=reject' or 'sp=quarantine' enforce stricter policies, safeguarding against spoofing. Proper configuration, including consideration of the 'np' tag for non-existent subdomains, is vital for comprehensive domain security and deliverability. A common mistake is neglecting to properly set the 'sp' tag, leaving subdomains vulnerable.
Key findings
- Policy Override: The 'sp' tag allows explicit DMARC policies for subdomains, overriding the parent domain's 'p' tag.
- Inheritance: Subdomains inherit the 'p' tag if the 'sp' tag is absent.
- Spoofing Protection: Setting 'sp=reject' or 'sp=quarantine' hardens subdomains against email spoofing.
- No Tag Effect: If the 'sp' tag is set to 'none', subdomains are not protected by DMARC, irrespective of parent domain policy.
- Unused Domains: For subdomains not sending mail, a DMARC record with an 'sp' tag set to reject or quarantine can prevent misuse.
- Non-Existent Subdomains: The 'np' tag enables defining policies for domains which do not exist
Key considerations
- Subdomain Structure: Understand the subdomain structure and assess the need for differing policies.
- DMARC Setting: Define 'sp' policies that match the level of protection required for each set of subdomains.
- Tag Combination: Explore using 'np=reject' with 'p=none' on parent domains to simplify management while improving overall domain security posture.
- Continuous Monitoring: Monitor DMARC reports regularly to adjust and refine policies, ensuring optimal security and deliverability.
- DMARC Alignment: Ensure correct setup of SPF and DKIM along with DMARC, with special attention paid to the 'sp' tag.
What email marketers say
12 marketer opinions
The DMARC 'sp' tag is a critical component for managing subdomain email policies. It allows domain owners to define specific DMARC policies for subdomains, overriding the parent domain's 'p' tag policy. If 'sp' is not defined, subdomains inherit the 'p' tag. Setting 'sp=none' effectively disables DMARC protection for subdomains, while 'sp=reject' or 'sp=quarantine' enforces stricter policies. Correct configuration of the 'sp' tag is vital to protect subdomains against spoofing and ensure secure email deliverability across the entire domain structure. Common mistakes, like neglecting the 'sp' tag, can leave subdomains vulnerable.
Key opinions
- Policy Control: The 'sp' tag allows specific DMARC policies for subdomains, overriding the parent domain's 'p' tag.
- Inheritance: Without the 'sp' tag, subdomains inherit the 'p' tag policy from the parent domain.
- Security: Proper configuration of the 'sp' tag is crucial for protecting subdomains against email spoofing.
- Default Behavior: If a subdomain lacks a DMARC record, it defaults to the 'sp' tag setting of the parent domain.
- Bypass Effect: Setting the 'sp' tag to none can disable DMARC protection for subdomains.
Key considerations
- Subdomain Usage: Organizations using subdomains must define an 'sp' policy to ensure consistent email security across their domain structure.
- Policy Enforcement: Setting 'sp=reject' or 'sp=quarantine' enforces stricter policies on subdomains, preventing spoofing attempts.
- SPF/DKIM Alignment: Ensure SPF and DKIM are correctly configured along with DMARC to achieve optimal email deliverability and security.
- Monitoring: Regularly monitor DMARC reports to identify and address any email authentication issues, including those related to subdomains.
- Error Prevention: Avoid common DMARC configuration mistakes, such as neglecting the 'sp' tag, which can leave subdomains vulnerable to spoofing.
Marketer view
Marketer from Email Geeks provides an example, illustrating how DMARC policies are applied based on the sp tag and subdomain records.
22 May 2024 - Email Geeks
Marketer view
Email marketer from EmailSecurityFAQ explains that DMARC 'sp' tag is a subdomain policy that allows for the creation of a DMARC rule that applies to any subdomains, this can allow a different policy for subdomains versus the primary domain.
14 Mar 2023 - EmailSecurityFAQ
What the experts say
4 expert opinions
The DMARC 'sp' tag governs how policies are applied to subdomains. When absent, subdomains inherit the parent domain's policy. Explicitly using the 'sp' tag allows for defining distinct policies for subdomains, offering granular control. For subdomains not sending mail, implementing DMARC records with appropriate policies can prevent spoofing. The 'np' tag can be used to define policies for non-existent subdomains. Setting 'p=none, sp=reject' helps manage spoofed emails across subdomains and simplifies DMARC setup.
Key opinions
- Policy Inheritance: Without an 'sp' tag, subdomains inherit the parent domain's DMARC policy.
- Granular Control: The 'sp' tag enables defining specific DMARC policies for individual subdomains.
- Spoofing Prevention: Setting DMARC records with appropriate policies on unused subdomains prevents spoofing.
- Non-Existent Subdomains: The 'np' tag allows defining policies for non-existent subdomains.
- Practical Configuration: Using 'p=none, sp=reject' helps manage subdomain spoofing and simplifies DMARC implementation.
Key considerations
- Policy Strategy: Decide whether to inherit the parent policy or define specific subdomain policies using the 'sp' tag based on organizational needs.
- Subdomain Audit: Identify subdomains that are not used for sending mail and implement DMARC records to prevent spoofing.
- NP Tag Use: Consider using the 'np' tag for non-existent subdomains to further enhance security and prevent misuse.
- Testing and Monitoring: Regularly test and monitor DMARC configurations to ensure effectiveness and address any issues promptly.
- DMARC Simplification: Explore configurations like 'p=none, sp=reject' to simplify DMARC implementation while maintaining essential security.
Expert view
Expert from Spam Resource answers that if your subdomains are not sending mail, set a DMARC record for them and set a policy so spammers can't send mail from those domains. You can do this at the DNS level.
17 Jul 2023 - Spam Resource
Expert view
Expert from Email Geeks shares that there’s also the np tag to define a policy for non existent domains. So if you’re p=none but don’t want folks to forge subdomains that don’t exist you can do p=none, np=reject.
4 Sep 2023 - Email Geeks
What the documentation says
3 technical articles
The 'sp' tag in a DMARC record is used to define a specific policy for subdomains. If the 'sp' tag is absent, the policy defined by the 'p' tag applies to both the domain and its subdomains. The 'sp' tag allows domain owners to implement more restrictive DMARC policies for all subdomains. It is recommended to use the 'sp' tag to prevent abuse of subdomains.
Key findings
- Subdomain Policy Definition: The 'sp' tag defines DMARC policy specifically for subdomains.
- Inheritance Behavior: If 'sp' tag is missing, subdomains inherit the 'p' tag policy from the parent domain.
- Restrictive Policies: The 'sp' tag facilitates implementation of stricter DMARC policies for subdomains.
- Prevention of Abuse: Using the 'sp' tag helps prevent abuse of subdomains through email spoofing.
Key considerations
- Subdomain Security: Evaluate whether subdomains require different or more restrictive policies than the main domain.
- Policy Selection: Carefully consider the 'sp' tag options (none, quarantine, reject) to align with security and deliverability goals.
- Tag Implementation: Implement the 'sp' tag in the DMARC record for appropriate subdomain policy enforcement.
- Abuse Monitoring: Continuously monitor DMARC reports to identify and address any potential subdomain abuse.
Technical article
Documentation from DMARC.org explains that the 'sp' tag in a DMARC record defines the policy for subdomains of the domain in question. If the 'sp' tag is not present, the policy specified by the 'p' tag applies to both the domain and its subdomains. The 'sp' tag allows domain owners to specify a different policy for subdomains.
6 May 2023 - DMARC.org
Technical article
Documentation from Google Workspace Admin Help states that the 'sp' tag, or subdomain policy tag, lets you define a more restrictive DMARC policy for all subdomains. Without the sp tag subdomains inherit the p tag. This tag is optional, but recommended to prevent abuse of subdomains.
5 Aug 2022 - Google Workspace Admin Help
Do I need to set up DMARC for subdomains?
Do subdomains need their own DMARC records if the main domain has one?
Does BIMI trickle down to subdomains and how to control subdomain BIMI display?
How do DMARC policies and RUA/RUF settings inherit or override each other between a domain and its subdomains?
How do DMARC records on subdomains override root domain DMARC policies?
How do I set up DMARC records for subdomains?
