How DMARC works with subdomains and the sp tag

Learn how DMARC works with your subdomains and the sp tag to bring DMARC to enforcement and protect your business from impersonation.
How DMARC works with subdomains

TLDR: By default, subdomains inherit your organizational domain’s DMARC policy. The sp tag (subdomain policy) lets you set a different policy for all subdomains that don’t publish their own record: sp=none, sp=quarantine, or sp=reject. To reach true enforcement, set p=reject on your organizational domain and don’t weaken it with sp=none. A newer tag, np, sets the policy for non-existent subdomains.


DMARC is a powerful tool for protecting sender identity in email. When properly enforced, it protects your domain from exact-domain spoofing, which is the technique used by the majority of business email compromise (BEC).

Below, we’ll walk you through how DMARC works with your subdomains and the sp tag to protect your business from impersonation. First, let’s get on the same page about DMARC enforcement.

DMARC enforcement

The term “enforcement” has some nuance. DMARC enforcement requires a policy of quarantine or reject for your organizational domain and all its subdomains.

If even a single subdomain is not at enforcement, the entire domain is not at enforcement.

Why this insistence on subdomains being at enforcement? Because any subdomain—no matter how obscure—is a potential vector for impersonation.

DMARC has a very explicit set of rules for how to handle subdomain policies.

First, some background: 

DMARC fixes a substantial problem with older authentication technologies SPF and DKIM by requiring alignment between the domains validated by those standards and the domain shown in the “From” field of the message. The domain that a human recipient sees in the visible “From” field must be the same domain authenticated by SPF or DKIM.

If a message fails authentication—either because it fails SPF or DKIM or because the “From” field doesn’t match the domain authenticated by SPF or DKIM—then the mail receiver takes action on that message based on the DMARC record’s stated policy.

Basic policy tags

p tag

TLDR:

  • p=none: Tells receivers to deliver messages that fail authentication normally.
  • p=quarantine: Tells receivers to put messages that fail authentication into spam.
  • p=reject: Tells receivers to delete messages that fail authentication.

Domain owners use the DMARC p tag to specify the policy they’d like mail receivers to apply to any messages that fail authentication.

If they leave it at the default setting, p=none, they will receive DMARC reports, but they will be unprotected from spoofing. The p=none setting tells receivers to treat messages that fail authentication exactly the same as those that pass authentication—in other words, deliver them normally.

Enforcement means using a policy of p=quarantine (which tells receivers to put any messages failing authentication into spam) or p=reject (which tells receivers to delete those messages entirely).

sp tag

TLDR:

  • sp=none: Tells receivers to deliver failing messages normally for the specified subdomain
  • sp=quarantine: Tells receivers to quarantine failing messages from specified subdomains.
  • sp=reject: Tells receivers to delete failing messages from specified subdomains.

By default, the DMARC policy that is set for an organizational domain will apply to any subdomains—unless a DMARC record has been published for a specific subdomain. However, domain owners may set separate policies for all subdomains with the “sp” tag (for subdomain policy).

It uses the same syntax as the p tag. sp=none tells mail receivers that, whatever policy has been specified for the organizational domain, they should use a policy of “none” for subdomains.

sp=quarantine tells receivers to quarantine failing messages from subdomains, and sp=reject tells them to reject them.

The np tag and non-existent subdomains

The p and sp tags both handle domains that exist. But what about a subdomain you never created?

That’s the gap the np tag fills. Added in the 2026 DMARC spec update, np sets the policy for non-existent subdomains, addresses that aren’t in your DNS at all. It matters because a domain fully locked down at p=reject can still be spoofed through a made-up subdomain like billing-support.yourdomain.com, unless something tells receivers what to do with mail from subdomains that don’t exist.

Here’s how the three tags split the work:

  • p sets the policy for your organizational domain.
  • sp sets the policy for real subdomains that don’t publish their own record.
  • np sets the policy for subdomains that don’t exist.

The np tag uses the same values as the others: none, quarantine, and reject. When it’s absent, receivers fall back to sp, and then to p. So to shut the door on fabricated subdomains, add np=reject to your organizational domain’s record. It tells every supporting receiver to reject mail from any subdomain you never set up.

Note: Receiver support for np is still rolling out, so treat it as an extra layer on top of a solid p=reject. Adding it is a simple one-tag change, and your existing record stays valid.

How DMARC policy tags work in practice

With the policy tags above, you can imagine how important it is to ensure your subdomains are protected. 

For example, if company.com is at p=reject, but email.company.com is at p=none, spoofers can send messages from email.company.com. In this case, even with an organizational p=reject, spoofers can impersonate the brand and cause all the problems DMARC is intended to solve because DMARC wasn’t actually applied for messages uniformly from the domain.

Your organization might not use subdomains to send email, but your recipients don’t know that. When they see a message from anything related to your brand, they’re likely to trust it. That’s why subdomains can be just as effective impersonation vectors as your main domain.

DMARC is like sunscreen—it’s only effective where applied. Forget to apply it everywhere, and you’re going to get burned.

Bring your DMARC to enforcement

Fortunately, this is easy to do. Add p=reject on your organizational domain, and do not override it on any subdomains. Now you’re fully protected, and no one can send email as you without your explicit authorization.

This may all seem obvious, but we frequently see unprotected subdomains in the wild, which can neuter the anti-impersonation and anti-fraud value of bringing DMARC to enforcement.

Interested in the brand-enhancing capabilities of BIMI? It’s mandatory that you have DMARC at enforcement on your organizational domain (without sp=none) to take advantage of this new standard.

Protect your brand, customers, and employees. Don’t leave your subdomains open to impersonation. Need help stopping phishing and impersonation attacks? Get continuous DMARC protection at scale with Valimail Enforce.

Frequently asked questions

Do subdomains inherit the parent domain’s DMARC policy?

Yes. By default, a subdomain follows the organizational domain’s p policy, unless you set an sp tag on the parent domain or publish a separate DMARC record on the subdomain itself. So if your root domain is at p=reject, subdomains without their own record are covered too.

What is the sp tag in DMARC?

The sp tag sets the DMARC policy for all subdomains that don’t publish their own record. It uses the same values as the p tag: sp=none delivers failing subdomain mail normally, sp=quarantine sends it to spam, and sp=reject blocks it. If you don’t set sp, subdomains inherit the p policy.

What does sp=none mean?

sp=none tells receivers to take no action on subdomain mail that fails DMARC, even if your organizational domain is at p=reject. It’s a common misconfiguration: the root domain looks protected, but every subdomain is left open to spoofing. Avoid sp=none unless you have a specific reason and are monitoring closely.

Do I need a separate DMARC record for every subdomain?

No. Setting p=reject on your organizational domain (and not overriding it with a weaker sp) protects every subdomain that doesn’t publish its own record. You only need a dedicated subdomain record when a subdomain uses different senders or needs its own reporting or a separate rollout pace.

What is the np tag, and how is it different from sp?

The np tag, added in the 2026 DMARC spec update, sets the policy for non-existent subdomains, ones that don’t exist in your DNS at all. sp governs real subdomains without their own record; np closes the gap that let attackers spoof made-up subdomains like billing-support.yourdomain.com. When it’s absent, receivers fall back to sp, then to p. If you want to lock this down, np=reject rejects mail from any subdomain you never created.

Get started for free
with Monitor

Start your path to DMARC enforcement with a panoramic view of the traffic being sent on your behalf.
No trial offers, credit cards, or obligations.

Explore all Valimail
has to offer

Go one step further than visibility…Take action! Reach DMARC enforcement faster. Stay compliant with evolving sender requirements. All while protecting your brand.

[UPCOMING WEBINAR] Valimail Product Release: Get Better Brand Protection and Brand Impressions – Register HERE