How do subdomain policies (sp=) work?

Still have a question, spotted an error, or have a better explanation or a source we should cite?

Got subdomains but aren't ready to enforce the same DMARC policy across all of them? That's where the sp= tag comes in.

Here's the basic inheritance model. By default, your root domain's policy (p=) cascades down to all subdomains. If you set p=reject, then marketing.example.com, dev.example.com, and every other subdomain inherits that same enforcement. That's great if all your subdomains are fully authenticated. But if they're not, you'll break email from the ones that aren't ready yet.

Enter subdomain policies (sp=). This tag lets you override the root policy just for subdomains. For example, you might use p=reject on your main domain while setting sp=none for subdomains still in monitoring. Or you could use p=reject and sp=quarantine to give subdomains a softer hand until they're aligned.

Here's a real scenario: your root domain (example.com) is locked down with perfect DMARC alignment. But your testing subdomain (test.example.com) is still pulling data from an old vendor that isn't authenticated. Without sp=, you'd break that subdomain's email. With sp=none, test.example.com sits in monitoring mode, buying you time to fix the vendor while example.com stays protected.

Once a subdomain's mail streams are fully authenticated and aligned, you can remove the sp= tag and let it inherit the root policy. This keeps enforcement tight where it matters and flexible where you need it.

Check your policy combinations with Review My Emails's DMARC Generator before publishing. Next step: audit which subdomains need their own policy, then update your DNS record. See also: DMARC policy options. See also: setting up DMARC.

Contributors

Who worked on this answer

Every name links to their profile. Every company links to their site. Real people, real accountability.

Ask an AI · tailored to your setup

Get subdomain policy help

Should I use sp= for my {subdomain_name}? My root domain is {current_policy} and the subdomain is {subdomain_status}. What policy should I use?

Edit the yellow boxes, then send to the AI of your choice.