When you're setting up DMARC, you're creating a policy that tells receiving mail servers how to handle emails that claim to be from your domain but fail authentication checks. A common point of confusion is how this policy affects your subdomains. The specific DMARC tag that controls this is the sp tag, which stands for 'subdomain policy'.
This tag is an optional but powerful part of your DMARC record. It allows you to set a different, specific policy for all subdomains of your main domain. For example, you might want a strict policy for your main domain (like suped.com) but a more lenient one for subdomains like marketing.suped.com or support.suped.com, especially when you are just starting your DMARC implementation.
How the 'sp' tag works
The main DMARC policy is set by the p tag. This policy applies to your primary domain. The sp tag, on the other hand, is specifically for subdomains. An important rule to remember is how these two tags interact. If you do not include an 'sp' tag in your DMARC record, the policy defined in the p tag will automatically be applied to all your subdomains.
The sp tag can have the same three values as the p tag:
- none: This is monitoring mode. It tells receivers to take no action against emails that fail DMARC checks, but to still send you reports. This is a great starting point.
- quarantine: This policy suggests that receivers should treat failing emails with suspicion, often by sending them to the spam or junk folder.
- reject: This is the strictest policy. It instructs receivers to completely block any emails from your subdomains that fail DMARC authentication.
DMARC record examples for subdomains
Let's look at a practical example. Imagine you want to enforce a strict policy on your main domain but only monitor your subdomains. Your DMARC record in DNS would look something like this:
v=DMARC1; p=reject; sp=none; rua=mailto:dmarc-reports@yourdomain.com;
In this case, any unauthenticated email from yourdomain.com should be rejected (p=reject). However, for any subdomain like news.yourdomain.com, the policy is set to 'none' (sp=none), meaning failing emails will be delivered, but you'll get reports about them. This is a very common strategy for larger organizations with many subdomains.
If you omit the sp tag entirely:
v=DMARC1; p=quarantine; rua=mailto:dmarc-reports@yourdomain.com;
Here, the p=quarantine policy applies to both the main domain and all its subdomains. This is known as policy inheritance.
Should you always use the 'sp' tag?
The decision to use the sp tag depends on your organization's email infrastructure. If you have numerous subdomains sending email, some of which might not be fully configured for SPF and DKIM, using sp=none or sp=quarantine is a safe way to roll out a stricter p=reject policy for your main domain without disrupting legitimate email from subdomains. As VerifyDMARC notes, you can use an sp= tag to define a different policy for subdomains.
Alternatively, you can create a specific DMARC record for a particular subdomain. For instance, creating a DMARC record for _dmarc.marketing.yourdomain.com will override any sp policy set on the main domain. This gives you granular control but requires more management. In summary, the sp tag is your primary tool for setting a blanket DMARC policy for all your subdomains, providing a critical layer of control and flexibility in your email security posture.
