The DMARC sp attribute is short for subdomain policy in DMARC tags that specify a unanimous subdomain policy for all subdomains under an organizational domain when defined by the domain owner. It allows a domain to specify that a different DMARC policy mode is applicable to the subdomains of the specified DNS domain.
What is sp (Subdomain Policy) in DMARC?
SP (Subdomain Policy) in DMARC refers to a mechanism that allows domain owners to specify how DMARC should handle email messages sent from subdomains.
By default, DMARC policies set at the organizational domain level apply to all subdomains. However, with the SP mechanism, domain owners can override the default behavior and specify different DMARC policies for their subdomains. This allows for more granular control and flexibility in email authentication and enforcement.
How does the DMARC sp attribute work?
Subdomains inherit the parent domain’s policy unless explicitly overruled by a subdomain policy record. The ‘sp’ attribute can override this inheritance. If a subdomain has an explicit DMARC record, this record will take precedence over the DMARC policy for the parent domain, even if the subdomain uses the default setting of p=none. For example, if a DMARC policy is defined for priority ‘all’, the ‘sp’ element will influence DMARC processing on subdomains not covered by any specific policy.
To keep things simple, we recommend that the ‘sp’ attribute be omitted from the organizational domain itself. This will lead to a fallback default policy that prevents spoofing on subdomains. It is important to remember that subdomain behavior is always determined by the overriding organizational policy.
Why do you need the DMARC sp tag?
The DMARC sp tag is needed when you want to configure a different DMARC policy for your subdomain(s) that will override the policy defined for your root domain.
SP tag configurations & effects on your email’s authentication
Case 1: Subdomain Policy at None
If you have your DMARC record as:
v=DMARC1; p=reject; sp=none; rua=mailto:[email protected];
In this case, while your root domain is protected against spoofing attacks, your subdomains even if you don’t use them to exchange information would still be vulnerable to impersonation attacks.
Case 2: Subdomain Policy at Reject
If you have your DMARC record as:
v=DMARC1; p=none; sp=reject; rua=mailto:[email protected];
In this case, while you are not committing to a reject policy on the root domain that you use to send your emails, your inactive subdomains are still protected against impersonation.
Note: If you want your domain and subdomain policies to be the same, you can leave the sp tag criterion blank or disabled while creating a record, and your subdomains would automatically inherit the policy levied on the main domain.
How to enable DMARC sp?
To enable the DMARC sp tag in case you are using our DMARC record generator tool for creating a DMARC record for your domain, you need to manually toggle the subdomain policy button to active status and define your desired policy.
Your Next Steps
Enabling the DMARC sp tag and configuring it appropriately is an essential step towards bolstering your email security. However, there are a few additional measures you can take to further enhance your DMARC implementation. Here are some recommended next steps:
Monitor DMARC Reports
After enabling the DMARC sp tag, it’s crucial to monitor the DMARC reports generated by email receivers. These reports provide valuable insights into the alignment and authentication status of your sent emails. By analyzing these reports regularly, you can identify any anomalies or unauthorized sources attempting to send emails on behalf of your domain. Tools like DMARC analyzers or reporting services can help simplify the monitoring process.
Gradually Move Towards a “p=reject” Policy
While the DMARC sp tag enhances security for subdomains, it’s important to consider gradually moving towards a more stringent policy for your main domain. By setting the “p” tag to “reject,” you can instruct email receivers to reject any unauthorized emails from your domain altogether. However, it’s recommended to proceed with caution and thoroughly analyze the impact of the policy change to avoid unintended consequences.
Implement DKIM and SPF
To strengthen your DMARC implementation, ensure that both DKIM (DomainKeys Identified Mail) and SPF (Sender Policy Framework) are properly configured. DKIM adds a digital signature to your outgoing emails, while SPF verifies that the sending server is authorized to send emails on behalf of your domain. These mechanisms, combined with DMARC, provide a robust authentication framework that helps mitigate email spoofing and phishing attacks effectively.
Periodically Review and Update DMARC Policies
As your organization evolves and your email ecosystem changes, it’s important to periodically review and update your DMARC policies. This includes reassessing the DMARC sp tag settings for your subdomains, adjusting the overall policy, and ensuring that all email authentication mechanisms are up to date. Regular policy reviews will help you maintain an effective and adaptive email security strategy.
By adopting a comprehensive approach to email security, you can significantly reduce the risks associated with email spoofing and phishing attacks, ultimately safeguarding your organization’s reputation and protecting your stakeholders.
After creating your DMARC record it is important to check the validity of your record using our DMARC record lookup tool to make sure that your record is error-free and valid.
Start your DMARC journey with PowerDMARC to maximize your domain’s email security. Take your free DMARC trial today!
- Types of Domain Vulnerabilities You Should be Aware of - August 18, 2023
- How to Implement Mail Domain Authentication in Your Email Infrastructure - February 22, 2023
- How to fix “SPF alignment failed”? - January 3, 2023