How does the DMARC sp tag affect subdomain policies?

Key findings

• Default inheritance: If the sp tag is absent from the organizational domain's DMARC record, the primary policy (defined by the p tag) is inherited by all subdomains. This is the default DMARC behavior for subdomains.
• Explicit sp policy: When the sp tag is present, it explicitly defines the policy for all subdomains that do not have their own published DMARC record. This overrides the default inheritance.
• Effect of sp=none: sp=none means that any emails failing DMARC checks from subdomains without their own DMARC record will be treated as if their policy is p=none. This provides visibility (via DMARC reports) but no enforcement for those subdomains.
• Subdomain record precedence: If a subdomain publishes its own DMARC record (e.g., _dmarc.sub.example.com), that specific record will always override any sp tag set at the organizational (parent) domain level.
• Reporting implications: Regardless of the sp tag's value, DMARC aggregate reports (RUA) will still provide data on email streams from those subdomains, offering insights into their authentication status. Find out more about the list of DMARC tags and their meanings.

Key considerations

• Policy enforcement: To enforce a DMARC policy (quarantine or reject) on subdomains without publishing individual records, the parent domain's sp tag must be set to sp=quarantine or sp=reject. This is essential for comprehensive domain protection. Learn more about DMARC policies for organizational domains and subdomains.
• Phishing protection: If there's a risk of spoofing on non-existent subdomains, setting a strong sp policy (or implementing np if supported by receivers) can significantly enhance security. For more details on the nptag refer to RFC 7489.
• Rollout strategy: Many organizations begin their DMARC journey with p=none and sp=none to monitor traffic and identify all legitimate sending sources before moving to stricter policies like quarantine or reject. This phased approach helps prevent accidental blocking of legitimate emails.

Key opinions

• Clarity needed: Many marketers are unsure about the exact behavior of sp=none, questioning if it truly means no policy or a specific p=none for subdomains.
• Protecting brand reputation: Marketers prioritize ensuring their subdomains are also protected from unauthorized use to maintain overall brand trust and deliverability.
• Simplifying DMARC setup: The desire to manage DMARC policies efficiently without needing a separate record for every subdomain makes the sp tag appealing, especially for large organizations. Understanding DMARC record placement best practices for subdomains is key.
• Monitoring spoofing: Even with sp=none, marketers value the DMARC reports that provide visibility into potential spoofing attempts on their subdomains, allowing them to react proactively.

Key considerations

• Phased implementation: Many marketers start with a relaxed sp=none policy to gather data, gradually moving to quarantine or reject as they gain confidence in their authentication setup. See simple DMARC examples.
• Subdomain purpose: Consider the purpose of each subdomain; some may require more permissive policies (e.g., transactional emails), while others (e.g., marketing emails) might benefit from stricter enforcement. This can influence whether you use an sp tag or individual subdomain DMARC records.
• Consistency with brand: Ensuring DMARC alignment and consistent policies across all subdomains is crucial for brand recognition and avoiding deliverability issues. DuoCircle offers a good explanation on what the DMARC 'sp' tag means.

Key opinions

• Inheritance without sp: Experts confirm that if the sp tag is omitted from the parent domain's DMARC record, the primary policy (p tag) will apply to all subdomains by default.
• Purpose of sp tag: The sp tag should be used specifically when you want a *different* policy for subdomains than the organizational domain, or to explicitly set p=none for them while the parent has a stronger policy.
• Mitigating broad spoofing: For situations with botnet-driven spoofing across numerous subdomains, experts suggest a parent policy of p=none combined with sp=reject to catch illegitimate subdomain traffic. Discover how DMARC records on subdomains override root policies.
• DMARC reporting for subdomains: It is crucial to include reporting services in any DMARC record, even those published on subdomains, to ensure visibility into their email traffic and authentication results.
• The np tag: Some experts mention the np tag (non-existent domain policy) from the DMARCbis proposal, which allows defining a policy for subdomains that don't actually exist, providing an extra layer of protection.

Key considerations

• Distinguishing sp=none vs. no sp: It is critical to understand that omitting the sp tag means inheritance of the parent's p policy, while sp=none explicitly sets the subdomain policy to p=none. This is a frequent point of confusion that needs clarification to effectively use DMARC policies like p=none, p=quarantine, or p=reject.
• Testing new tags: New DMARC tags like np (from DMARCbis) should be thoroughly tested due to varying receiver support. Even if a tag isn't in RFC 7489, receivers are supposed to ignore it, allowing the record to remain valid, but this behavior might not be universally consistent.
• Strategic implementation: The choice between using the sp tag, letting inheritance apply, or creating individual subdomain records depends on the specific domain architecture and desired enforcement level. VerifyDMARC provides more insights.

Key findings

• Subdomain policy definition: The sp tag is specifically designed to designate how DMARC should process emails from subdomains of the organizational domain.
• Default policy cascade: Unless an sp tag is present, the DMARC policy set for the organizational domain will automatically apply to any subdomains. For more info, check if subdomains need their own DMARC records.
• Overriding inheritance: The sp tag provides a mechanism to override this default inheritance, allowing for a different policy to be applied to subdomains collectively.
• Explicit subdomain records: If a subdomain has its own DMARC record published, that record's policy takes precedence over any sp tag in the organizational domain's record.
• Value interpretation: The value of sp (e.g., none, quarantine, or reject) mirrors the behavior of the p tag but applies specifically to subdomains without their own DMARC records.

Key considerations

• Unified authentication: Documentation emphasizes that the sp tag helps maintain consistent email authentication policies across an entire domain infrastructure, including its subdomains, for robust email security.
• Granular control: While sp provides a blanket policy for subdomains, organizations needing distinct policies for specific subdomains should publish individual DMARC records for those subdomains. Learn how to set up DMARC records for subdomains.
• Alignment with SPF and DKIM: The effectiveness of the sp tag relies on proper SPF and DKIM configuration for all sending domains and subdomains. All three protocols work together to authenticate email. SiteGround offers a resource on what a DMARC record is.