• Log In
  • Sign Up
  • Contact Us
PowerDMARC
  • Features
    • PowerDMARC
    • Hosted DKIM
    • PowerSPF
    • PowerBIMI
    • PowerMTA-STS
    • PowerTLS-RPT
    • PowerAlerts
    • Reputation Monitoring
  • Services
    • Deployment Services
    • Managed Services
    • Support Services
    • Service Benefits
  • Pricing
  • Power Toolbox
  • Partners
    • Reseller Program
    • MSSP Program
    • Technology Partners
    • Industry Partners
    • Become a Partner
  • Resources
    • DMARC: What is it and How does it Work?
    • Datasheets
    • Case Studies
    • Blog
    • DMARC Training
    • DMARC in Your Country
    • DMARC by Industry
    • Support
  • About
    • Our company
    • Clients
    • Contact us
    • Book a demo
    • Events
  • Menu Menu

What is the DMARC sp (Subdomain Policy) tag?

Blogs
DMARC sp subdomain policy tag 1

The DMARC sp attribute is short for subdomain policy in DMARC tags that specify a unanimous subdomain policy for all subdomains under an organizational domain when defined by the domain owner. It allows a domain to specify that a different DMARC policy mode is applicable to the subdomains of the specified DNS domain.

What is sp (Subdomain Policy) in DMARC?

SP (Subdomain Policy) in DMARC refers to a mechanism that allows domain owners to specify how DMARC should handle email messages sent from subdomains. 

By default, DMARC policies set at the organizational domain level apply to all subdomains. However, with the SP mechanism, domain owners can override the default behavior and specify different DMARC policies for their subdomains. This allows for more granular control and flexibility in email authentication and enforcement.

How does the DMARC sp attribute work? 

Subdomains inherit the parent domain’s policy unless explicitly overruled by a subdomain policy record. The ‘sp’ attribute can override this inheritance. If a subdomain has an explicit DMARC record, this record will take precedence over the DMARC policy for the parent domain, even if the subdomain uses the default setting of p=none. For example, if a DMARC policy is defined for priority ‘all’, the ‘sp’ element will influence DMARC processing on subdomains not covered by any specific policy.

To keep things simple, we recommend that the ‘sp’ attribute be omitted from the organizational domain itself. This will lead to a fallback default policy that prevents spoofing on subdomains. It is important to remember that subdomain behavior is always determined by the overriding organizational policy. 

Why do you need the DMARC sp tag?

The DMARC sp tag is needed when you want to configure a different DMARC policy for your subdomain(s) that will override the policy defined for your root domain. 

SP tag configurations & effects on your email’s authentication

Case 1: Subdomain Policy at None 

If you have your DMARC record as: 

v=DMARC1; p=reject; sp=none; rua=mailto:[email protected];

In this case, while your root domain is protected against spoofing attacks, your subdomains even if you don’t use them to exchange information would still be vulnerable to impersonation attacks.

Case 2: Subdomain Policy at Reject

If you have your DMARC record as: 

v=DMARC1; p=none; sp=reject; rua=mailto:[email protected];

In this case, while you are not committing to a reject policy on the root domain that you use to send your emails, your inactive subdomains are still protected against impersonation.

Note: If you want your domain and subdomain policies to be the same, you can leave the sp tag criterion blank or disabled while creating a record, and your subdomains would automatically inherit the policy levied on the main domain.

How to enable DMARC sp? 

To enable the DMARC sp tag in case you are using our DMARC record generator tool for creating a DMARC record for your domain, you need to manually toggle the subdomain policy button to active status and define your desired policy.

DMARC sp

Your Next Steps

Enabling the DMARC sp tag and configuring it appropriately is an essential step towards bolstering your email security. However, there are a few additional measures you can take to further enhance your DMARC implementation. Here are some recommended next steps:

Monitor DMARC Reports

After enabling the DMARC sp tag, it’s crucial to monitor the DMARC reports generated by email receivers. These reports provide valuable insights into the alignment and authentication status of your sent emails. By analyzing these reports regularly, you can identify any anomalies or unauthorized sources attempting to send emails on behalf of your domain. Tools like DMARC analyzers or reporting services can help simplify the monitoring process.

Gradually Move Towards a “p=reject” Policy

While the DMARC sp tag enhances security for subdomains, it’s important to consider gradually moving towards a more stringent policy for your main domain. By setting the “p” tag to “reject,” you can instruct email receivers to reject any unauthorized emails from your domain altogether. However, it’s recommended to proceed with caution and thoroughly analyze the impact of the policy change to avoid unintended consequences.

Implement DKIM and SPF

To strengthen your DMARC implementation, ensure that both DKIM (DomainKeys Identified Mail) and SPF (Sender Policy Framework) are properly configured. DKIM adds a digital signature to your outgoing emails, while SPF verifies that the sending server is authorized to send emails on behalf of your domain. These mechanisms, combined with DMARC, provide a robust authentication framework that helps mitigate email spoofing and phishing attacks effectively.

Periodically Review and Update DMARC Policies

As your organization evolves and your email ecosystem changes, it’s important to periodically review and update your DMARC policies. This includes reassessing the DMARC sp tag settings for your subdomains, adjusting the overall policy, and ensuring that all email authentication mechanisms are up to date. Regular policy reviews will help you maintain an effective and adaptive email security strategy.

Conclusion

By adopting a comprehensive approach to email security, you can significantly reduce the risks associated with email spoofing and phishing attacks, ultimately safeguarding your organization’s reputation and protecting your stakeholders.

After creating your DMARC record it is important to check the validity of your record using our DMARC record lookup tool to make sure that your record is error-free and valid. 

Start your DMARC journey with PowerDMARC to maximize your domain’s email security. Take your free DMARC trial today!  

DMARC sp

  • About
  • Latest Posts
Syuzanna Papazyan
Syuzanna works as a Visual Designer at PowerDMARC.
She is artistic person with innovative ideas and designs.
Latest posts by Syuzanna Papazyan (see all)
  • Types of Domain Vulnerabilities You Should be Aware of - August 18, 2023
  • How to Implement Mail Domain Authentication in Your Email Infrastructure - February 22, 2023
  • How to fix “SPF alignment failed”? - January 3, 2023
October 8, 2021/by Syuzanna Papazyan
Tags: DMARC sp, DMARC sp tag, DMARC subdomain policy, sp tag, subdomain policy tag
Share this entry
  • Share on Facebook
  • Share on Twitter
  • Share on Twitter
  • Share on WhatsApp
  • Share on LinkedIn
  • Share by Mail

Secure Your Email

Stop Email Spoofing and Improve Email Deliverability

15-day Free trial!


Categories

  • Blogs
  • News
  • Press Releases

Latest Blogs

  • DMARC sp
    DMARC Black Friday: Fortify Your Emails This Holiday SeasonNovember 23, 2023 - 8:00 pm
  • Google and Yahoo New Requirements 2024
    Google and Yahoo Updated Email Authentication Requirements for 2024November 15, 2023 - 3:23 pm
  • protect from spoofing blog
    How to Find the Best DMARC Solution Provider for Your Business?November 8, 2023 - 6:29 pm
  • Preventing-Phishing-Attacks-in-Academic-Institutions
    Preventing Phishing Attacks in Academic InstitutionsOctober 31, 2023 - 2:29 pm
logo footer powerdmarc
SOC2 GDPR PowerDMARC GDPR comliant crown commercial service
global cyber alliance certified powerdmarc csa

Knowledge

What is Email Authentication?
What is DMARC?
What is DMARC Policy?
What is SPF?
What is DKIM?
What is BIMI?
What is MTA-STS?
What is TLS-RPT?
What is RUA?
What is RUF?
AntiSpam vs DMARC
DMARC Alignment
DMARC Compliance
DMARC Enforcement
BIMI Implementation Guide
Permerror
MTA-STS & TLS-RPT Implementation Guide

Tools

Free DMARC Record Generator
Free DMARC Record Checker
Free SPF Record Generator
Free SPF Record Lookup
Free DKIM Record Generator
Free DKIM Record Lookup
Free BIMI Record Generator
Free BIMI Record Lookup
Free FCrDNS Record Lookup
Free TLS-RPT Record Checker
Free MTA-STS Record Checker
Free TLS-RPT Record Generator

Product

Product Tour
Features
PowerSPF
PowerBIMI
PowerMTA-STS
PowerTLS-RPT
PowerAlerts
Reputation Monitoring
API Documentation
Managed Services
Email Spoofing Protection
Brand Protection
Anti Phishing
DMARC for Office365
DMARC for Google Mail GSuite
DMARC for Zimbra
Free DMARC Training

Try Us

Contact Us
Free Trial
Book Demo
Partnership
Pricing
FAQ
Support
Blog
Events
Feature Request
Change Log
System Status

  • Français
  • Dansk
  • Nederlands
  • Deutsch
  • Русский
  • Polski
  • Español
  • Italiano
  • 日本語
  • 中文 (简体)
  • Português
  • Norsk
  • Svenska
  • 한국어
© PowerDMARC is a registered trademark.
  • Twitter
  • Youtube
  • LinkedIn
  • Facebook
  • Instagram
  • Contact us
  • Terms & Conditions
  • Privacy Policy
  • Cookie Policy
  • Security Policy
  • Compliance
  • GDPR Notice
  • Sitemap
How to upgrade your DKIM keys (from 1024-bit to 2048-bit) for Microsoft Office...Microsoft O365 DKIM key upgradeDMARC pctpercentage tag 2What is the pct (percentage) tag in a DMARC Record?
Scroll to top