DMARC Subdomain Policies: Using the sp= Tag

Learn how DMARC applies to subdomains, what the sp= tag does, when subdomains inherit policy, and how to avoid blocking legitimate subdomain mail.

By CheckDomainHealth Editorial Team Reviewed by Dionis Ceban Updated Jun 28, 2026 7 min read Beginner

Introduction

DMARC can apply not only to the main domain, but also to subdomains. This matters when mail is sent from addresses such as news.example.com, billing.example.com, alerts.example.com or support.example.com.

The sp= tag lets you define a separate DMARC policy for subdomains. If sp= is not set, subdomains usually inherit the main domain’s p= policy unless they publish their own DMARC record. Understanding this inheritance helps avoid accidentally blocking legitimate mail from subdomains.

Quick answer

Quick answer

The sp= tag sets the DMARC policy for subdomains. For example, p=reject; sp=none means the main domain uses reject, while subdomains use none. If sp= is missing, subdomains usually inherit the main p= policy unless they have their own DMARC record.

sp= tag

The sp= tag defines the DMARC policy for subdomains of the main domain.

Example
v=DMARC1; p=reject; sp=none; rua=mailto:dmarc@example.com

This means: example.com uses p=reject; subdomains such as news.example.com use sp=none; reports are sent to dmarc@example.com.

The sp= tag is optional. If it is not present, subdomains generally follow the main p= policy unless they publish their own DMARC record.

Subdomain inheritance

A subdomain can either inherit the parent domain’s DMARC policy or publish its own DMARC record.

Example parent record
_dmarc.example.com
v=DMARC1; p=quarantine; rua=mailto:dmarc@example.com

If there is no separate record at _dmarc.news.example.com, then mail from news.example.com may inherit the parent domain’s policy.

If news.example.com publishes its own DMARC record, that subdomain policy takes priority for mail using news.example.com as the visible From domain.

p= vs sp=

p=

  • Controls the main domain policy.
  • Example: example.com
  • Applies to mail using the main domain in the visible From address.

p=quarantine

sp=

  • Controls subdomain policy.
  • Example: news.example.com, billing.example.com, alerts.example.com
  • Applies to subdomains that do not publish their own DMARC record.

sp=none

sp= does not replace p=. It only gives separate instructions for subdomains.

Common examples

Same policy for domain and subdomains
v=DMARC1; p=quarantine; rua=mailto:dmarc@example.com
Strict main domain, monitor subdomains
v=DMARC1; p=reject; sp=none; rua=mailto:dmarc@example.com
Monitor main domain, stricter subdomains
v=DMARC1; p=none; sp=quarantine; rua=mailto:dmarc@example.com
Strict for both
v=DMARC1; p=reject; sp=reject; rua=mailto:dmarc@example.com

These examples are illustrative. Choose policy based on real mail flows and DMARC reports.

When to use sp=

Subdomains send mail

Use sp= carefully if newsletters, alerts, billing or support mail is sent from subdomains.

You want different enforcement

Use sp= when the main domain and subdomains need different policies.

You are not sure about subdomain senders

Use sp=none while monitoring subdomain traffic.

You want stronger protection

Use sp=quarantine or sp=reject after confirming subdomain mail is authenticated.

You manage many subdomains

Use sp= to define a default policy, then add separate DMARC records for special cases.

Why this matters

Why this matters

Subdomain policy matters because subdomains are often used by marketing platforms, transactional email services, billing systems, support desks and application alerts. If the parent DMARC policy is strict and subdomain senders are not aligned, legitimate subdomain mail may be quarantined or rejected.

Subdomains can also be abused for spoofing, so leaving them unmanaged can create security and reputation risk.

How to check subdomains

Use DMARC Checker to inspect the parent domain and any subdomains that send email.

When checking subdomain policy, review

These five checks help confirm subdomain DMARC is configured safely.

Parent DMARC record

Check the p= policy at _dmarc.example.com.

sp= tag

Check whether the parent record defines a subdomain policy.

Subdomain DMARC records

Check whether important subdomains publish their own records.

Subdomain senders

Identify platforms sending from subdomains.

SPF/DKIM alignment

Confirm subdomain senders pass DMARC alignment.

Check subdomain DMARC

Use DMARC Checker to review parent and subdomain DMARC policy.

Run DMARC Check →

Common problems

Subdomains inherit a strict policy unexpectedly

High

The parent domain uses p=quarantine or p=reject, and subdomains inherit that policy because sp= is not set.

Next step: Review subdomain senders and consider sp=none while fixing authentication.

Subdomain sender fails alignment

Medium

A marketing, billing or transactional service sends from a subdomain but does not pass aligned SPF or DKIM.

Next step: Configure custom DKIM or Return-Path for that subdomain.

Subdomain has no DMARC record

Low

The subdomain may rely on parent policy inheritance.

Next step: Add a subdomain DMARC record if it needs separate control.

sp= too strict too soon

Medium

Subdomain enforcement was enabled before legitimate subdomain senders were reviewed.

Next step: Move to monitoring and review DMARC reports.

Separate subdomain record conflicts with parent strategy

Medium

A subdomain has its own DMARC record that behaves differently than expected.

Next step: Document subdomain policies and align them with the overall DMARC rollout.

Unknown subdomains send mail

Medium

DMARC reports show mail from subdomains the owner does not recognize.

Next step: Investigate whether the source is legitimate, old infrastructure or spoofing.

No reporting for subdomains

Low

Without rua, subdomain authentication patterns may be harder to monitor.

Next step: Add reporting to parent or subdomain DMARC records.

How to manage subdomains

  1. Step 1: List subdomains that send mail

    Identify newsletters, alerts, billing, support, app notifications, transactional mail and marketing subdomains.

  2. Step 2: Check parent DMARC policy

    Review p= and sp= at the main domain.

  3. Step 3: Check whether subdomains inherit policy

    If a subdomain has no DMARC record, it may inherit the parent policy.

  4. Step 4: Review SPF and DKIM alignment

    Make sure each subdomain sender can pass aligned SPF or DKIM.

  5. Step 5: Use sp=none while auditing

    If subdomain senders are unclear, monitor first before applying strict enforcement.

  6. Step 6: Add subdomain-specific records where needed

    For important subdomains, publish their own DMARC records if they need separate policy or reporting.

  7. Step 7: Move gradually toward enforcement

    Use reports to confirm legitimate subdomain mail is passing before using quarantine or reject.

Subdomain records

A subdomain can publish its own DMARC record.

Example
Subdomain: news.example.com
DMARC hostname: _dmarc.news.example.com
Record: v=DMARC1; p=none; rua=mailto:dmarc@example.com

A subdomain-specific record is useful when a subdomain sends mail independently or needs a different policy than the parent domain.

Subdomain mail examples

Newsletter subdomain

news.example.com — used by marketing platform.

Billing subdomain

billing.example.com — used by invoice or payment system.

Alert subdomain

alerts.example.com — used by application notifications.

Support subdomain

support.example.com — used by helpdesk platform.

Each sending subdomain should be reviewed for SPF, DKIM and DMARC alignment.

Frequently asked questions

What does sp= mean in DMARC?

sp= defines the DMARC policy for subdomains.

What happens if sp= is missing?

Subdomains usually inherit the main p= policy unless they publish their own DMARC record.

Can a subdomain have its own DMARC record?

Yes. A subdomain can publish a record at _dmarc.subdomain.example.com.

Should subdomains use p=none?

Use p=none while monitoring if you are not sure all subdomain senders are authenticated.

Can sp= be stricter than p=?

Yes. For example, p=none; sp=quarantine is possible, but it should be used carefully.

Can strict subdomain policy block real email?

Yes, if legitimate subdomain senders do not pass SPF or DKIM alignment.

Should every subdomain have its own DMARC record?

Not always. Important sending subdomains may need their own record, while others can inherit parent policy.

Use these free tools to verify your configuration after applying changes.

Browse all Email Authentication guides →

Need help applying this fix?

Send us your domain, report link or issue details. CheckDomainHealth will review the request and route it to the right technical team if hands-on support is needed.

Get Help Run Domain Health Check

Was this guide helpful?

Your feedback helps us improve our guides for everyone.