DMARC glossary
What does the np tag mean in a DMARC record?

By Samuel Chenard · CEO & Co-Founder, Palisade · Reviewed July 15, 2026
The np tag sets the DMARC policy for non-existent subdomains — names with no A, AAAA, or MX records, like an invoices.yourdomain.com an attacker just invented. Defined in RFC 9091 (experimental), it defaults to the sp value, which itself defaults to p. Receivers that don't support it simply ignore it.
np at a glance | |
|---|---|
| Tag | np (non-existent subdomain policy) |
| Valid values | none · quarantine · reject |
| Default | Defaults to sp's value; if sp is absent too, to p. |
| Where it goes | Alongside sp, e.g. v=DMARC1; p=quarantine; sp=quarantine; np=reject; |
How np works
np exists because attackers don't limit themselves to your real subdomains. Spoofing a made-up name like secure-payments.yourdomain.com works just as well on the victim — the brand is right there in the address. RFC 9091 added np so you can treat those fabricated names differently from subdomains that actually host services.
A non-existent subdomain, per the RFC, is one that resolves to no A, AAAA, or MX records. That's the useful property: no legitimate mail can plausibly originate from a name with no mail infrastructure, so np=reject is safe even while the rest of the domain is still mid-rollout at quarantine or none. It's a free win — hard enforcement where there's nothing legitimate to break.
The honest caveat: RFC 9091 is experimental, and np is honored by a growing subset of receivers rather than all of them. Where it's unsupported, receivers fall back to sp or p as they always did — so adding it costs nothing and hardens you wherever it is supported.
Correct record vs common mistake
Correct
v=DMARC1; p=quarantine; sp=quarantine; np=reject; rua=mailto:dmarc@yourdomain.comReal domains ramp carefully at quarantine; fabricated subdomains are rejected outright — nothing legitimate sends from a name that doesn't exist.
Common mistake
v=DMARC1; p=reject; np=noneThis actively opens a hole: without np, non-existent subdomains would inherit reject. Setting np=none makes invented subdomains the softest target on the domain.
Generate your DMARC record
Build the exact TXT record to publish — pick a policy, add a reporting address, copy. Free, no signup.
Used to show the exact host name to publish — the record itself doesn't contain it.
Start at none to observe, then tighten once reports look clean.
Where daily XML summaries are sent. Comma-separate multiple addresses.
Advanced options (sp, alignment, pct, ruf)
Subdomains inherit p unless you set this. Attackers love unused subdomains — reject is a strong choice once you're at enforcement.
Relaxed allows subdomain matches (mail.yourdomain.com signs for yourdomain.com). Strict requires an exact match — most domains should stay relaxed.
Same idea for the SPF (Return-Path) domain.
Applies quarantine/reject to a percentage of failing mail during rollout. Retired in DMARCbis — use briefly if at all.
Per-message failure samples. Rarely sent by large providers; contains message data.
Your DMARC record
Publish this as a TXT record in your DNS.
_dmarc.yourdomain.com
v=DMARC1; p=none;
Record type: TXT · TTL: your provider's default (e.g. 3600) is fine.
After you publish
- Add the TXT record at your DNS host and allow up to an hour for propagation.
- Verify it with the free DMARC checker.
- Watch your aggregate reports, fix SPF and DKIM for every legitimate sender, then step up to quarantine and reject.
Troubleshooting np
| Issue | Likely cause | Fix |
|---|---|---|
| Spoofed made-up subdomains still delivered with np=reject set | The receiving server doesn't support the experimental np tag | Expected — coverage varies by receiver. Keep np set and push the whole domain toward p=reject for full coverage |
| np seems to have no effect on a subdomain | The subdomain actually exists — it has an A, AAAA, or MX record, so sp/p governs it | Check the name's DNS; for existing subdomains, tighten sp instead |
| Unsure whether np is even being read | Tag placement or syntax error in the record | Validate the full record with a DMARC checker — a malformed tag list can break more than just np |
See this on your own domain
Enter your domain — the check runs instantly on the next page. Free, no signup.
Why it matters for MSPs
Phishers who can't spoof a client's protected apex will invent subdomains instead — and the client's brand takes the hit either way. Across 50–200 tenants still mid-rollout, np=reject is the cheapest hardening available: it blocks fabricated-subdomain spoofing on every domain that hasn't reached full reject yet.
Trusted by MSPs
“Their responsive support, agent task lists, white-label reporting, and centralized dashboard make managing our customer domains, effortless.”
Bobby Ghoshal — CEO, dupe.com

































Enforce it — don't just monitor it
Palisade's job is getting every client domain to full reject, where np stops mattering — but while a domain is mid-ramp, closing the fabricated-subdomain gap early is exactly the kind of no-downside step that belongs in the rollout.
Free 15-day trial · No credit card · Your own domain free forever (NFR)