Question 1

What is a DMARC subdomain policy?

Accepted Answer

A DMARC subdomain policy (sp=) is an optional tag in your DMARC record that specifies how email receivers should handle messages from your subdomains. If you don't set sp=, subdomains inherit the main domain's policy (p=). You can set sp=quarantine or sp=reject to enforce stricter policies on subdomains than your main domain.

Question 2

Do subdomains need their own DMARC records?

Accepted Answer

No, subdomains don't need separate DMARC records by default - they inherit the policy from the main domain's DMARC record at _dmarc.example.com. However, you can publish specific DMARC records for individual subdomains at _dmarc.subdomain.example.com if you need different policies. The sp= tag in your main record sets a default policy for all subdomains.

Question 3

What does sp= mean in DMARC?

Accepted Answer

sp= is the subdomain policy tag in DMARC that defines how email receivers should treat messages from your subdomains when authentication fails. Valid values are sp=none (monitor only), sp=quarantine (send to spam), or sp=reject (block completely). If sp= is not specified, subdomains use the same policy as p= (the main domain policy).

Question 4

How do I protect subdomains with DMARC?

Accepted Answer

To protect subdomains, add the sp= tag to your main domain's DMARC record. For example: 'v=DMARC1; p=quarantine; sp=reject' applies quarantine to the main domain but reject to all subdomains. Alternatively, publish individual DMARC records for specific subdomains at _dmarc.subdomain.example.com. Our tool checks both approaches.

Question 5

Why are subdomains vulnerable without DMARC?

Accepted Answer

Subdomains without DMARC protection can be exploited for phishing attacks. Attackers often use subdomains like 'secure.yourcompany.com' or 'support.yourcompany.com' to impersonate your organization because users trust any @yourcompany.com address. Even if your main domain has DMARC p=reject, subdomains may only have p=none unless you explicitly set sp=reject.

DMARC Subdomain Policy Checker

DMARC Subdomain Policy Checker

Frequently Asked Questions

Related Tools

DMARC Analyzer

SPF Surveyor

DKIM Validator

Help & Resources

Best Practices for Subdomain DMARC

Learn More