DMARC Subdomain Policies: Using the sp= Tag
Learn how DMARC applies to subdomains, what the sp= tag does, when subdomains inherit policy, and how to avoid blocking legitimate subdomain mail.
Introduction
DMARC can apply not only to the main domain, but also to subdomains. This matters when mail is sent from addresses such as news.example.com, billing.example.com, alerts.example.com or support.example.com.
The sp= tag lets you define a separate DMARC policy for subdomains. If sp= is not set, subdomains usually inherit the main domain’s p= policy unless they publish their own DMARC record. Understanding this inheritance helps avoid accidentally blocking legitimate mail from subdomains.
Quick answer
The sp= tag sets the DMARC policy for subdomains. For example, p=reject; sp=none means the main domain uses reject, while subdomains use none. If sp= is missing, subdomains usually inherit the main p= policy unless they have their own DMARC record.
sp= tag
The sp= tag defines the DMARC policy for subdomains of the main domain.
v=DMARC1; p=reject; sp=none; rua=mailto:dmarc@example.com
This means: example.com uses p=reject; subdomains such as news.example.com use sp=none; reports are sent to dmarc@example.com.
The sp= tag is optional. If it is not present, subdomains generally follow the main p= policy unless they publish their own DMARC record.
Subdomain inheritance
A subdomain can either inherit the parent domain’s DMARC policy or publish its own DMARC record.
_dmarc.example.com
v=DMARC1; p=quarantine; rua=mailto:dmarc@example.com
If there is no separate record at _dmarc.news.example.com, then mail from news.example.com may inherit the parent domain’s policy.
If news.example.com publishes its own DMARC record, that subdomain policy takes priority for mail using news.example.com as the visible From domain.
p= vs sp=
p=
- Controls the main domain policy.
- Example: example.com
- Applies to mail using the main domain in the visible From address.
p=quarantine
sp=
- Controls subdomain policy.
- Example: news.example.com, billing.example.com, alerts.example.com
- Applies to subdomains that do not publish their own DMARC record.
sp=none
sp= does not replace p=. It only gives separate instructions for subdomains.
Common examples
v=DMARC1; p=quarantine; rua=mailto:dmarc@example.com
v=DMARC1; p=reject; sp=none; rua=mailto:dmarc@example.com
v=DMARC1; p=none; sp=quarantine; rua=mailto:dmarc@example.com
v=DMARC1; p=reject; sp=reject; rua=mailto:dmarc@example.com
These examples are illustrative. Choose policy based on real mail flows and DMARC reports.
When to use sp=
Subdomains send mail
Use sp= carefully if newsletters, alerts, billing or support mail is sent from subdomains.
You want different enforcement
Use sp= when the main domain and subdomains need different policies.
You are not sure about subdomain senders
Use sp=none while monitoring subdomain traffic.
You want stronger protection
Use sp=quarantine or sp=reject after confirming subdomain mail is authenticated.
You manage many subdomains
Use sp= to define a default policy, then add separate DMARC records for special cases.
Why this matters
Subdomain policy matters because subdomains are often used by marketing platforms, transactional email services, billing systems, support desks and application alerts. If the parent DMARC policy is strict and subdomain senders are not aligned, legitimate subdomain mail may be quarantined or rejected.
Subdomains can also be abused for spoofing, so leaving them unmanaged can create security and reputation risk.
How to check subdomains
Use DMARC Checker to inspect the parent domain and any subdomains that send email.
When checking subdomain policy, review
These five checks help confirm subdomain DMARC is configured safely.
Parent DMARC record
Check the p= policy at _dmarc.example.com.
sp= tag
Check whether the parent record defines a subdomain policy.
Subdomain DMARC records
Check whether important subdomains publish their own records.
Subdomain senders
Identify platforms sending from subdomains.
SPF/DKIM alignment
Confirm subdomain senders pass DMARC alignment.
Check subdomain DMARC
Use DMARC Checker to review parent and subdomain DMARC policy.
Common problems
Subdomains inherit a strict policy unexpectedly
HighThe parent domain uses p=quarantine or p=reject, and subdomains inherit that policy because sp= is not set.
Next step: Review subdomain senders and consider sp=none while fixing authentication.
Subdomain sender fails alignment
MediumA marketing, billing or transactional service sends from a subdomain but does not pass aligned SPF or DKIM.
Next step: Configure custom DKIM or Return-Path for that subdomain.
Subdomain has no DMARC record
LowThe subdomain may rely on parent policy inheritance.
Next step: Add a subdomain DMARC record if it needs separate control.
sp= too strict too soon
MediumSubdomain enforcement was enabled before legitimate subdomain senders were reviewed.
Next step: Move to monitoring and review DMARC reports.
Separate subdomain record conflicts with parent strategy
MediumA subdomain has its own DMARC record that behaves differently than expected.
Next step: Document subdomain policies and align them with the overall DMARC rollout.
Unknown subdomains send mail
MediumDMARC reports show mail from subdomains the owner does not recognize.
Next step: Investigate whether the source is legitimate, old infrastructure or spoofing.
No reporting for subdomains
LowWithout rua, subdomain authentication patterns may be harder to monitor.
Next step: Add reporting to parent or subdomain DMARC records.
How to manage subdomains
-
Step 1: List subdomains that send mail
Identify newsletters, alerts, billing, support, app notifications, transactional mail and marketing subdomains.
-
Step 2: Check parent DMARC policy
Review p= and sp= at the main domain.
-
Step 3: Check whether subdomains inherit policy
If a subdomain has no DMARC record, it may inherit the parent policy.
-
Step 4: Review SPF and DKIM alignment
Make sure each subdomain sender can pass aligned SPF or DKIM.
-
Step 5: Use sp=none while auditing
If subdomain senders are unclear, monitor first before applying strict enforcement.
-
Step 6: Add subdomain-specific records where needed
For important subdomains, publish their own DMARC records if they need separate policy or reporting.
-
Step 7: Move gradually toward enforcement
Use reports to confirm legitimate subdomain mail is passing before using quarantine or reject.
Subdomain records
A subdomain can publish its own DMARC record.
Subdomain: news.example.com
DMARC hostname: _dmarc.news.example.com
Record: v=DMARC1; p=none; rua=mailto:dmarc@example.com
A subdomain-specific record is useful when a subdomain sends mail independently or needs a different policy than the parent domain.
Subdomain mail examples
Newsletter subdomain
news.example.com — used by marketing platform.
Billing subdomain
billing.example.com — used by invoice or payment system.
Alert subdomain
alerts.example.com — used by application notifications.
Support subdomain
support.example.com — used by helpdesk platform.
Each sending subdomain should be reviewed for SPF, DKIM and DMARC alignment.
Frequently asked questions
What does sp= mean in DMARC?
sp= defines the DMARC policy for subdomains.
What happens if sp= is missing?
Subdomains usually inherit the main p= policy unless they publish their own DMARC record.
Can a subdomain have its own DMARC record?
Yes. A subdomain can publish a record at _dmarc.subdomain.example.com.
Should subdomains use p=none?
Use p=none while monitoring if you are not sure all subdomain senders are authenticated.
Can sp= be stricter than p=?
Yes. For example, p=none; sp=quarantine is possible, but it should be used carefully.
Can strict subdomain policy block real email?
Yes, if legitimate subdomain senders do not pass SPF or DKIM alignment.
Should every subdomain have its own DMARC record?
Not always. Important sending subdomains may need their own record, while others can inherit parent policy.
Related tools
Use these free tools to verify your configuration after applying changes.
Related guides
Browse all Email Authentication guides →Need help applying this fix?
Send us your domain, report link or issue details. CheckDomainHealth will review the request and route it to the right technical team if hands-on support is needed.
Was this guide helpful?
Your feedback helps us improve our guides for everyone.
Thanks for your feedback!