How DMARC works with subdomains and the sp tag
DMARC is a powerful tool for protecting sender identity in email. Amongst many other benefits, when properly enforced, it protects your domain from exact-domain spoofing, which is the technique used by the majority of business email compromise (BEC).
However, “enforcement” has some nuance. DMARC enforcement requires a policy of quarantine or reject for your organizational domain and all its subdomains; and the percentage setting, if used, must be set to 100. If even a single subdomain is not at enforcement, the entire domain is not at enforcement.
Why this insistence on subdomains being at enforcement? Because any subdomain, no matter how obscure, is a potential vector for impersonation.
DMARC has a very explicit set of rules for how to handle subdomain policies. In a previous post, we explained how DMARC handles subdomains in email addresses; in this post, we’ll tackle specific subdomain policies set with the sp tag.
First, some background. DMARC fixes a substantial problem with older authentication technologies, SPF and DKIM, by requiring alignment between the domains validated by those standards and the domain shown in the “From” field of the message. In other words, the domain that a human recipient sees, in the visible “From” field, must be the same domain authenticated by SPF or DKIM.
If a message fails authentication — either because it fails SPF or DKIM, or because the “From” field doesn’t match the domain authenticated by SPF or DKIM — then the mail receiver takes action on that message based on the DMARC record’s stated policy.
The basic policy tags
The p tag
Domain owners use the DMARC p tag to specify the policy they’d like mail receivers to apply to any messages that fail authentication.
If they leave it at the default setting, p=none, they will receive DMARC reports but they will be unprotected from spoofing. The p=none setting tells receivers to treat messages that fail authentication exactly the same as those that pass authentication — in other words, deliver them normally.
Enforcement means using a policy of p=quarantine (which tells receivers to put any messages failing authentication into spam) or p=reject (which tells receivers to delete those messages entirely).
The sp tag
By default, the DMARC policy that is set for an organizational domain will apply to any subdomains, unless a DMARC record has been published for a specific subdomain. But domain owners may set separate policies for all subdomains with the “sp” tag (for subdomain policy).
It uses the exact same syntax as the p tag. sp=none tells mail receivers that, whatever policy has been specified for the organizational domain, they should use a policy of “none” for subdomains.
sp=quarantine tells receivers to quarantine failing messages from subdomains, and sp=reject tells them to reject them.
How this works in practice
It should be clear from the above why subdomains need to be protected with enforcement policies.
For example, if company.com is at p=reject, but email.company.com is at p=none, spoofers can send messages from email.company.com. In this case, even with an organizational p=reject, spoofers can impersonate the brand and cause all the problems DMARC is purported to solve, because DMARC wasn’t actually applied for messages uniformly from the domain.
Your organization may not actually use subdomains to send email — but recipients don’t know that. That’s why these subdomains can be just as effective as impersonation vectors as the main domain.
In this case, DMARC is like sunscreen: It’s only effective where applied. You need to apply to it everywhere.
And this is easy to do. Have p=reject on your organizational domain, and do not override it on any subdomains. Now you’re fully protected and no one can send email as you without your explicit authorization!
This may all seem obvious, but we frequently see unprotected subdomains in the wild, which can neuter the anti-impersonation and anti-fraud value of bringing DMARC to enforcement.
Further, if the brand-enhancing capabilities of BIMI are of interest to you, it is mandatory that you have DMARC at enforcement on your organizational domain — without sp=none — in order to take advantage of this new standard.
Protect yourself. Protect your brand. Protect your customers. Protect your employees. Don’t leave your subdomains open to impersonation.