DMARC glossary

What does the sp tag mean? DMARC subdomain policy explained

Samuel Chenard

By Samuel Chenard · CEO & Co-Founder, Palisade · Reviewed July 15, 2026

The sp tag sets the DMARC policy for subdomains of your organizational domain — every anything.yourdomain.com. It takes the same values as p (none, quarantine, reject), and if it's absent, subdomains simply inherit the p policy. The trap: sp=none beside p=reject leaves every subdomain spoofable while the apex looks locked.

sp at a glance
Tagsp (subdomain policy)
Valid valuesnone · quarantine · reject
DefaultIf omitted, subdomains inherit the p value — which is usually what you want.
Where it goesAfter the p tag, e.g. v=DMARC1; p=reject; sp=reject;

How sp works

A DMARC record published at _dmarc.yourdomain.com covers more than the apex domain. When mail claims to be from a subdomain that has no DMARC record of its own — billing.yourdomain.com, mail.yourdomain.com — receivers fall back to the organizational domain's record, and sp decides which policy applies. No sp tag means the subdomain gets whatever p says.

The legitimate use case is a split rollout: the apex is ready for reject but a subdomain still sends unaligned mail, so you set sp=quarantine or sp=none temporarily while you fix it. The dangerous use case is the same record left permanently — p=reject; sp=none means an attacker can't spoof yourdomain.com but can freely spoof invoices.yourdomain.com, which looks just as convincing to the person reading the email.

A subdomain can also publish its own _dmarc record, which overrides the organizational domain's sp for that name. In practice most subdomains don't, so sp (or the inherited p) is what actually governs them.

Correct record vs common mistake

Correct

v=DMARC1; p=reject; sp=reject; rua=mailto:dmarc@yourdomain.com

Apex and subdomains both at reject — explicit sp makes the intent auditable, though omitting it here would inherit the same policy.

Common mistake

v=DMARC1; p=reject; sp=none

The apex is protected, but every subdomain is fully spoofable. Attackers just move to billing.yourdomain.com — same brand, zero enforcement.

Generate your DMARC record

Build the exact TXT record to publish — pick a policy, add a reporting address, copy. Free, no signup.

Used to show the exact host name to publish — the record itself doesn't contain it.

Start at none to observe, then tighten once reports look clean.

Where daily XML summaries are sent. Comma-separate multiple addresses.

Advanced options (sp, alignment, pct, ruf)

Subdomains inherit p unless you set this. Attackers love unused subdomains — reject is a strong choice once you're at enforcement.

Relaxed allows subdomain matches (mail.yourdomain.com signs for yourdomain.com). Strict requires an exact match — most domains should stay relaxed.

Same idea for the SPF (Return-Path) domain.

Applies quarantine/reject to a percentage of failing mail during rollout. Retired in DMARCbis — use briefly if at all.

Per-message failure samples. Rarely sent by large providers; contains message data.

Your DMARC record

Publish this as a TXT record in your DNS.

Host / Name

_dmarc.yourdomain.com

Value (TXT)

v=DMARC1; p=none;

Record type: TXT · TTL: your provider's default (e.g. 3600) is fine.

No rua address set — you'll get no aggregate reports, which means no visibility into who is sending as your domain. Add one before publishing.
p=none is monitoring mode: receivers report but deliver everything, including spoofed mail. It's the right starting point — plan to move to quarantine, then reject, once your reports show all legitimate senders passing.

After you publish

  1. Add the TXT record at your DNS host and allow up to an hour for propagation.
  2. Verify it with the free DMARC checker.
  3. Watch your aggregate reports, fix SPF and DKIM for every legitimate sender, then step up to quarantine and reject.

Troubleshooting sp

IssueLikely causeFix
Spoofed subdomain mail delivered despite p=rejectsp=none (or sp=quarantine) in the record overrides the apex policy for subdomainsAlign the subdomain's legitimate senders, then set sp=reject or remove sp to inherit p
Legitimate subdomain mail quarantined after tightening spA subdomain sender (portal, notification service) was never aligned in SPF/DKIMFind it in the aggregate reports, align it, then re-tighten — don't leave sp weakened
Subdomain behaves differently than the sp tag saysThe subdomain publishes its own _dmarc record, which takes precedenceCheck DNS at _dmarc.<subdomain> and consolidate — one governing record per name

See this on your own domain

Enter your domain — the check runs instantly on the next page. Free, no signup.

Why it matters for MSPs

Client domains sprawl subdomains — helpdesk portals, marketing platforms, regional sites — and each one is a spoofing surface. Across 50–200 tenants, an sp=none left over from an old rollout multiplies into hundreds of unprotected names that every audit checklist misses, because the apex record “has p=reject.”

Trusted by MSPs

Their responsive support, agent task lists, white-label reporting, and centralized dashboard make managing our customer domains, effortless.
Bobby GhoshalBobby Ghoshal CEO, dupe.com
Partner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner Logo

Enforce it — don't just monitor it

Palisade watches the aggregate reports for subdomain traffic too — so unaligned subdomain senders get identified and fixed, and client domains reach reject at the apex and the subdomains, not just where the auditor looks.

Free 15-day trial · No credit card · Your own domain free forever (NFR)

Frequently asked questions

Not strictly — inheritance covers you. Set sp explicitly when you want subdomains on a different policy, or when you want the subdomain stance visible in the record instead of implied.

As a short-lived rollout step while you align a subdomain sender, yes. As a permanent state next to p=reject, no — it's an open invitation to spoof your subdomains.

No. A subdomain with its own _dmarc record uses that record. sp only governs subdomains that don't publish one — which in practice is most of them.

Made-up subdomains fall under sp too, unless you set the newer np tag, which targets non-existent subdomains specifically.

Related terms

What is DMARC? Email authentication explained