DMARC glossary

What does the np tag mean in a DMARC record?

Samuel Chenard

By Samuel Chenard · CEO & Co-Founder, Palisade · Reviewed July 15, 2026

The np tag sets the DMARC policy for non-existent subdomains — names with no A, AAAA, or MX records, like an invoices.yourdomain.com an attacker just invented. Defined in RFC 9091 (experimental), it defaults to the sp value, which itself defaults to p. Receivers that don't support it simply ignore it.

np at a glance
Tagnp (non-existent subdomain policy)
Valid valuesnone · quarantine · reject
DefaultDefaults to sp's value; if sp is absent too, to p.
Where it goesAlongside sp, e.g. v=DMARC1; p=quarantine; sp=quarantine; np=reject;

How np works

np exists because attackers don't limit themselves to your real subdomains. Spoofing a made-up name like secure-payments.yourdomain.com works just as well on the victim — the brand is right there in the address. RFC 9091 added np so you can treat those fabricated names differently from subdomains that actually host services.

A non-existent subdomain, per the RFC, is one that resolves to no A, AAAA, or MX records. That's the useful property: no legitimate mail can plausibly originate from a name with no mail infrastructure, so np=reject is safe even while the rest of the domain is still mid-rollout at quarantine or none. It's a free win — hard enforcement where there's nothing legitimate to break.

The honest caveat: RFC 9091 is experimental, and np is honored by a growing subset of receivers rather than all of them. Where it's unsupported, receivers fall back to sp or p as they always did — so adding it costs nothing and hardens you wherever it is supported.

Correct record vs common mistake

Correct

v=DMARC1; p=quarantine; sp=quarantine; np=reject; rua=mailto:dmarc@yourdomain.com

Real domains ramp carefully at quarantine; fabricated subdomains are rejected outright — nothing legitimate sends from a name that doesn't exist.

Common mistake

v=DMARC1; p=reject; np=none

This actively opens a hole: without np, non-existent subdomains would inherit reject. Setting np=none makes invented subdomains the softest target on the domain.

Generate your DMARC record

Build the exact TXT record to publish — pick a policy, add a reporting address, copy. Free, no signup.

Used to show the exact host name to publish — the record itself doesn't contain it.

Start at none to observe, then tighten once reports look clean.

Where daily XML summaries are sent. Comma-separate multiple addresses.

Advanced options (sp, alignment, pct, ruf)

Subdomains inherit p unless you set this. Attackers love unused subdomains — reject is a strong choice once you're at enforcement.

Relaxed allows subdomain matches (mail.yourdomain.com signs for yourdomain.com). Strict requires an exact match — most domains should stay relaxed.

Same idea for the SPF (Return-Path) domain.

Applies quarantine/reject to a percentage of failing mail during rollout. Retired in DMARCbis — use briefly if at all.

Per-message failure samples. Rarely sent by large providers; contains message data.

Your DMARC record

Publish this as a TXT record in your DNS.

Host / Name

_dmarc.yourdomain.com

Value (TXT)

v=DMARC1; p=none;

Record type: TXT · TTL: your provider's default (e.g. 3600) is fine.

No rua address set — you'll get no aggregate reports, which means no visibility into who is sending as your domain. Add one before publishing.
p=none is monitoring mode: receivers report but deliver everything, including spoofed mail. It's the right starting point — plan to move to quarantine, then reject, once your reports show all legitimate senders passing.

After you publish

  1. Add the TXT record at your DNS host and allow up to an hour for propagation.
  2. Verify it with the free DMARC checker.
  3. Watch your aggregate reports, fix SPF and DKIM for every legitimate sender, then step up to quarantine and reject.

Troubleshooting np

IssueLikely causeFix
Spoofed made-up subdomains still delivered with np=reject setThe receiving server doesn't support the experimental np tagExpected — coverage varies by receiver. Keep np set and push the whole domain toward p=reject for full coverage
np seems to have no effect on a subdomainThe subdomain actually exists — it has an A, AAAA, or MX record, so sp/p governs itCheck the name's DNS; for existing subdomains, tighten sp instead
Unsure whether np is even being readTag placement or syntax error in the recordValidate the full record with a DMARC checker — a malformed tag list can break more than just np

See this on your own domain

Enter your domain — the check runs instantly on the next page. Free, no signup.

Why it matters for MSPs

Phishers who can't spoof a client's protected apex will invent subdomains instead — and the client's brand takes the hit either way. Across 50–200 tenants still mid-rollout, np=reject is the cheapest hardening available: it blocks fabricated-subdomain spoofing on every domain that hasn't reached full reject yet.

Trusted by MSPs

Their responsive support, agent task lists, white-label reporting, and centralized dashboard make managing our customer domains, effortless.
Bobby GhoshalBobby Ghoshal CEO, dupe.com
Partner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner Logo

Enforce it — don't just monitor it

Palisade's job is getting every client domain to full reject, where np stops mattering — but while a domain is mid-ramp, closing the fabricated-subdomain gap early is exactly the kind of no-downside step that belongs in the rollout.

Free 15-day trial · No credit card · Your own domain free forever (NFR)

Frequently asked questions

A name with no A, AAAA, or MX records in DNS — nothing hosted, no mail routing. If a subdomain resolves to any of those, it's 'existent' and governed by sp (or p) instead.

Yes, in practice. No legitimate sender operates from a subdomain with no DNS presence, so there's no real mail to break — which is why np=reject is sensible even while p is still none or quarantine.

They ignore the tag and fall back to sp, or p if sp is absent — exactly the behavior you'd have without np. Unsupported means unused, not broken.

Functionally no — non-existent subdomains already inherit reject. Some teams keep it as an explicit statement of intent; either way it's harmless.

Related terms

What is DMARC? Email authentication explained