Which DMARC tag specifies the policy for subdomains?
Michael Ko
Co-founder & CEO, Suped
Published 1 May 2025
Updated 23 Oct 2025
7 min read
When deploying DMARC, understanding how policies apply across your entire domain landscape, including subdomains, is crucial for comprehensive email security. A common question arises about controlling the DMARC policy for different parts of your domain hierarchy. You might want a strict policy for your main domain but a more relaxed one for specific subdomains, or vice-versa.
The good news is that DMARC provides a specific tag designed to address this exact scenario. This tag allows you to define a separate policy for your subdomains, ensuring that unauthorized emails originating from them are handled according to your precise instructions. Properly configuring this tag is a key step in strengthening your overall email authentication posture and preventing sophisticated phishing attacks.
The DMARC 'sp' tag for subdomains
The DMARC tag that specifies the policy for subdomains is the sp tag, which stands for subdomain policy. This tag is an optional, yet powerful, component within your DMARC record that dictates how email receivers should handle messages purporting to be from your subdomains.
By default, if the sp tag is not explicitly included in your DMARC record, the policy defined by the p tag for the organizational (root) domain will apply to all subdomains. This default behavior can sometimes lead to unintended consequences, especially if different subdomains have varying email sending requirements or third-party senders. Understanding how the DMARC sp tag affects subdomain policies is essential for precise control.
The value of the sp tag can be set to none, quarantine, or reject, just like the p tag. This provides granular control over how unauthenticated emails from your subdomains are treated, allowing you to gradually enforce stricter policies. You can learn more about this in an article on what the DMARC 'sp' tag is
Example DMARC Record with sp tagDNS
_dmarc.yourdomain.com IN TXT "v=DMARC1; p=quarantine; sp=reject; rua=mailto:reports@yourdomain.com;"
The hierarchy of DMARC policies
The primary purpose of the sp tag is to allow a different policy for subdomains than the one applied to the organizational domain via the p tag. This distinction is vital for businesses that use numerous subdomains, some of which may be legacy systems or third-party services that aren't fully DMARC compliant yet.
For instance, you might want to set p=reject for your main domain to prevent direct domain spoofing, but use sp=quarantine for subdomains while you work to bring all sending sources into alignment. This approach helps in managing the transition to a stricter DMARC policy without immediately impacting legitimate email delivery from subdomains. It's about ensuring DMARC policies for organizational domains and subdomains are aligned with your operational needs.
When 'sp' is not used
If the sp tag is absent from the DMARC record, the p tag's policy will automatically apply to all subdomains. This means if your main domain is set to p=reject, all unauthenticated mail from any subdomain will also be rejected, potentially leading to deliverability issues if not all subdomain senders are DMARC compliant.
When 'sp' is used
Including the sp tag allows you to specify an independent policy for subdomains. For instance, you could have p=reject for your main domain and sp=none for subdomains, giving you time to analyze DMARC reports without disrupting email from sub-domains.
It's important to remember that a DMARC record published directly on a subdomain (e.g., _dmarc.sub.yourdomain.com) will always override any sp tag set at the organizational domain level for that specific subdomain. This hierarchy allows for even finer-grained control when necessary. For more details, explore how DMARC records on subdomains override policies.
Implementing the 'sp' tag
Setting up the sp tag involves adding it to your DMARC DNS record, typically alongside your v (version) and p (policy) tags. The process is straightforward: you'll edit the TXT record for _dmarc.yourdomain.com in your DNS provider's interface.
When deciding on the sp policy, consider the following best practices:
Start with sp=none: Just like with your organizational domain, begin with p=none for sp to collect reports and understand your subdomain sending ecosystem without affecting deliverability. You can learn how to set up DMARC records for subdomains more effectively this way.
Gradual enforcement: Once you have a clear picture, move to sp=quarantine and then sp=reject for subdomains, just as you would for your primary domain. This staged approach minimizes disruption.
Monitor reports closely: Pay close attention to your DMARC aggregate reports to identify any legitimate sending sources from subdomains that are failing DMARC authentication. This helps ensure that you aren't blocklisting (blacklisting) valid emails.
Considerations for subdomains
Be aware that not all subdomains might require or be capable of DMARC compliance immediately. Some legacy systems or specialized third-party services may send mail on behalf of your subdomains without full SPF or DKIM alignment. The sp tag allows you to manage these exceptions without compromising your entire domain. More information on understanding DMARC and subdomains can be helpful.
The importance of DMARC monitoring
Regardless of whether you use the sp tag or rely on the default policy inheritance, continuous DMARC monitoring is non-negotiable. DMARC reports provide invaluable insights into your email ecosystem, revealing unauthorized sending sources and authentication failures from both your main domain and its subdomains.
Effective DMARC monitoring allows you to: identify potential email spoofing (even from subdomains you didn't know were sending email), fix authentication issues before they impact deliverability, and gradually move towards a p=reject policy with confidence. Without proper monitoring, DMARC can be a blind spot rather than a security asset.
AI-Powered Recommendations:Get actionable advice to resolve issues and strengthen your policies effortlessly.
Real-Time Alerts:Stay informed about authentication failures and potential threats as they happen.
Unified Platform:Monitor DMARC, SPF, and DKIM, alongside blocklist and deliverability insights.
SPF Flattening:Solve your SPF lookup limit issues to ensure consistent email authentication.
MSP and Multi-Tenancy Dashboard:Efficiently manage multiple domains from a single, intuitive interface.
For a comprehensive and user-friendly DMARC monitoring solution, Suped offers the best DMARC reporting and monitoring tools available. Our platform provides the actionable insights you need to secure your email and maintain strong deliverability across all your domains and subdomains.
Taking control of your subdomains
The sp DMARC tag is an indispensable tool for managing the security and deliverability of emails sent from your subdomains. By providing explicit control over subdomain policies, it allows you to protect your brand's reputation and ensure that only authenticated emails reach your recipients, while still offering the flexibility needed for complex email infrastructures. Leveraging this tag, alongside robust DMARC monitoring, empowers you to take full control of your email sending. It's not just about setting a record, but about understanding and actively managing your entire email footprint.
Effective implementation of DMARC, including careful consideration of your subdomain policies, is a cornerstone of modern email security. It safeguards your domain from impersonation, reduces the risk of phishing attacks targeting your customers and employees, and ultimately contributes to better inbox placement rates. The journey to a fully enforced DMARC policy, especially across numerous subdomains, requires a strategic approach, but the benefits in security and trustworthiness are immense.
