DMARC Subdomain Policy Tag (SP)

 

When creating a DMARC record for a organizational domain (think google.com), a domain owner can add an "sp" tag to the DMARC record. This tag specifies what the policy should be for ALL subdomains of that domain. This tag functions exactly like the "p" tag does, as it tells a receiving mail server (think Gmail before the email hits your inbox) what to do with an email that fails DMARC.

Should I quarantine the message? Reject it? Or do nothing an allow the message to continue to delivery? With the "sp" tag published, the owner of the domain tells receiving mail servers what should be done to message from any subdomain of the organizational domain. In a nutshell, this tag acts as mechanism to apply a bulk policy to all subdomains.

Truth be told the real value and use case for using this tag is in the event a domain owner wants different policies applied to email from their subdomains versus their primary organizational domain. We included some use cases for this below.

Example 1: Domain owner only sends email from subdomains. They set a "reject" policy on the organizational domain of "example.com" and a "none" subdomain policy for their subdomains. In a DMARC record this would be expressed with tags of p=reject; sp=none

Example DMARC Record with p=reject and sp=none
v=DMARC1; p=reject; sp=none; rua=mailto:email1@mxtoolbox.com;

 

Example 2: Domain owner sends no email through subdomains and wants to prevent malicious actors from spoofing subdomains and sending phishing messages. They set a policy of "none" on their organizational domain and a subdomain policy of "reject" for all subdomains. In a DMARC record this would be expressed with tags of p=none; sp=reject;

Example DMARC Record with p=none and sp=reject
v=DMARC1; p=none; sp=reject; rua=mailto:email1@mxtoolbox.com;

 

 

burritos@banana-pancakes.com braunstrowman@banana-pancakes.com finnbalor@banana-pancakes.com ricflair@banana-pancakes.com randysavage@banana-pancakes.com