DMARC glossary
What does the sp tag mean? DMARC subdomain policy explained

By Samuel Chenard · CEO & Co-Founder, Palisade · Reviewed July 15, 2026
The sp tag sets the DMARC policy for subdomains of your organizational domain — every anything.yourdomain.com. It takes the same values as p (none, quarantine, reject), and if it's absent, subdomains simply inherit the p policy. The trap: sp=none beside p=reject leaves every subdomain spoofable while the apex looks locked.
sp at a glance | |
|---|---|
| Tag | sp (subdomain policy) |
| Valid values | none · quarantine · reject |
| Default | If omitted, subdomains inherit the p value — which is usually what you want. |
| Where it goes | After the p tag, e.g. v=DMARC1; p=reject; sp=reject; |
How sp works
A DMARC record published at _dmarc.yourdomain.com covers more than the apex domain. When mail claims to be from a subdomain that has no DMARC record of its own — billing.yourdomain.com, mail.yourdomain.com — receivers fall back to the organizational domain's record, and sp decides which policy applies. No sp tag means the subdomain gets whatever p says.
The legitimate use case is a split rollout: the apex is ready for reject but a subdomain still sends unaligned mail, so you set sp=quarantine or sp=none temporarily while you fix it. The dangerous use case is the same record left permanently — p=reject; sp=none means an attacker can't spoof yourdomain.com but can freely spoof invoices.yourdomain.com, which looks just as convincing to the person reading the email.
A subdomain can also publish its own _dmarc record, which overrides the organizational domain's sp for that name. In practice most subdomains don't, so sp (or the inherited p) is what actually governs them.
Correct record vs common mistake
Correct
v=DMARC1; p=reject; sp=reject; rua=mailto:dmarc@yourdomain.comApex and subdomains both at reject — explicit sp makes the intent auditable, though omitting it here would inherit the same policy.
Common mistake
v=DMARC1; p=reject; sp=noneThe apex is protected, but every subdomain is fully spoofable. Attackers just move to billing.yourdomain.com — same brand, zero enforcement.
Generate your DMARC record
Build the exact TXT record to publish — pick a policy, add a reporting address, copy. Free, no signup.
Used to show the exact host name to publish — the record itself doesn't contain it.
Start at none to observe, then tighten once reports look clean.
Where daily XML summaries are sent. Comma-separate multiple addresses.
Advanced options (sp, alignment, pct, ruf)
Subdomains inherit p unless you set this. Attackers love unused subdomains — reject is a strong choice once you're at enforcement.
Relaxed allows subdomain matches (mail.yourdomain.com signs for yourdomain.com). Strict requires an exact match — most domains should stay relaxed.
Same idea for the SPF (Return-Path) domain.
Applies quarantine/reject to a percentage of failing mail during rollout. Retired in DMARCbis — use briefly if at all.
Per-message failure samples. Rarely sent by large providers; contains message data.
Your DMARC record
Publish this as a TXT record in your DNS.
_dmarc.yourdomain.com
v=DMARC1; p=none;
Record type: TXT · TTL: your provider's default (e.g. 3600) is fine.
After you publish
- Add the TXT record at your DNS host and allow up to an hour for propagation.
- Verify it with the free DMARC checker.
- Watch your aggregate reports, fix SPF and DKIM for every legitimate sender, then step up to quarantine and reject.
Troubleshooting sp
| Issue | Likely cause | Fix |
|---|---|---|
| Spoofed subdomain mail delivered despite p=reject | sp=none (or sp=quarantine) in the record overrides the apex policy for subdomains | Align the subdomain's legitimate senders, then set sp=reject or remove sp to inherit p |
| Legitimate subdomain mail quarantined after tightening sp | A subdomain sender (portal, notification service) was never aligned in SPF/DKIM | Find it in the aggregate reports, align it, then re-tighten — don't leave sp weakened |
| Subdomain behaves differently than the sp tag says | The subdomain publishes its own _dmarc record, which takes precedence | Check DNS at _dmarc.<subdomain> and consolidate — one governing record per name |
See this on your own domain
Enter your domain — the check runs instantly on the next page. Free, no signup.
Why it matters for MSPs
Client domains sprawl subdomains — helpdesk portals, marketing platforms, regional sites — and each one is a spoofing surface. Across 50–200 tenants, an sp=none left over from an old rollout multiplies into hundreds of unprotected names that every audit checklist misses, because the apex record “has p=reject.”
Trusted by MSPs
“Their responsive support, agent task lists, white-label reporting, and centralized dashboard make managing our customer domains, effortless.”
Bobby Ghoshal — CEO, dupe.com

































Enforce it — don't just monitor it
Palisade watches the aggregate reports for subdomain traffic too — so unaligned subdomain senders get identified and fixed, and client domains reach reject at the apex and the subdomains, not just where the auditor looks.
Free 15-day trial · No credit card · Your own domain free forever (NFR)