DMARC is a powerful tool for protecting sender identity in email. When properly enforced, it protects your domain from exact-domain spoofing, which is the technique used by the majority of business email compromise (BEC).
Below, we’ll walk you through how DMARC works with your subdomains and the sp tag to protect your business from impersonation. First, let’s get on the same page about DMARC enforcement.
The term “enforcement” has some nuance. DMARC enforcement requires a policy of quarantine or reject for your organizational domain and all its subdomains. The percentage setting (if used) must be set to 100.
If even a single subdomain is not at enforcement, the entire domain is not at enforcement.
Why this insistence on subdomains being at enforcement? Because any subdomain—no matter how obscure—is a potential vector for impersonation.
DMARC has a very explicit set of rules for how to handle subdomain policies.
First, some background:
DMARC fixes a substantial problem with older authentication technologies SPF and DKIM by requiring alignment between the domains validated by those standards and the domain shown in the “From” field of the message. The domain that a human recipient sees in the visible “From” field must be the same domain authenticated by SPF or DKIM.
If a message fails authentication—either because it fails SPF or DKIM or because the “From” field doesn’t match the domain authenticated by SPF or DKIM—then the mail receiver takes action on that message based on the DMARC record’s stated policy.
Basic policy tags
- p=none: Tells receivers to deliver messages that fail authentication normally.
- p=quarantine: Tells receivers to put messages that fail authentication into spam.
- p=reject: Tells receivers to delete messages that fail authentication.
Domain owners use the DMARC p tag to specify the policy they’d like mail receivers to apply to any messages that fail authentication.
If they leave it at the default setting, p=none, they will receive DMARC reports, but they will be unprotected from spoofing. The p=none setting tells receivers to treat messages that fail authentication exactly the same as those that pass authentication—in other words, deliver them normally.
Enforcement means using a policy of p=quarantine (which tells receivers to put any messages failing authentication into spam) or p=reject (which tells receivers to delete those messages entirely).
- sp=none: Tells receivers to deliver failing messages normally for the specified subdomain
- sp=quarantine: Tells receivers to quarantine failing messages from specified subdomains.
- sp=reject: Tells receivers to delete failing messages from specified subdomains.
By default, the DMARC policy that is set for an organizational domain will apply to any subdomains—unless a DMARC record has been published for a specific subdomain. However, domain owners may set separate policies for all subdomains with the “sp” tag (for subdomain policy).
It uses the same syntax as the p tag. sp=none tells mail receivers that, whatever policy has been specified for the organizational domain, they should use a policy of “none” for subdomains.
sp=quarantine tells receivers to quarantine failing messages from subdomains, and sp=reject tells them to reject them.
How DMARC policy tags work in practice
With the policy tags above, you can imagine how important it is to ensure your subdomains are protected.
For example, if company.com is at p=reject, but email.company.com is at p=none, spoofers can send messages from email.company.com. In this case, even with an organizational p=reject, spoofers can impersonate the brand and cause all the problems DMARC is intended to solve because DMARC wasn’t actually applied for messages uniformly from the domain.
Your organization might not use subdomains to send email, but your recipients don’t know that. When they see a message from anything related to your brand, they’re likely to trust it. That’s why subdomains can be just as effective impersonation vectors as your main domain.
DMARC is like sunscreen—it’s only effective where applied. Forget to apply it everywhere, and you’re going to get burned.
Bring your DMARC to Enforcement
Fortunately, this is easy to do. Add p=reject on your organizational domain, and do not override it on any subdomains. Now you’re fully protected, and no one can send email as you without your explicit authorization.
This may all seem obvious, but we frequently see unprotected subdomains in the wild, which can neuter the anti-impersonation and anti-fraud value of bringing DMARC to enforcement.
Interested in the brand-enhancing capabilities of BIMI? It’s mandatory that you have DMARC at enforcement on your organizational domain (without sp=none) to take advantage of this new standard.
Protect your brand, customers, and employees. Don’t leave your subdomains open to impersonation.Need help stopping phishing and impersonation attacks? Get continuous DMARC protection at scale with Valimail Enforce.