Email DNS Check

DMARC Subdomain Policy (sp) Explained

The DMARC sp tag defines how the DMARC policy applies to subdomains. Without this tag, subdomains inherit the main DMARC policy. With sp, a domain can apply one enforcement level to the parent domain and a different level to subdomains.

One-Minute Fix

Use the sp tag when you want subdomains to follow a different DMARC enforcement policy than the main domain.

DMARC subdomain policy example
DNS TXT
v=DMARC1; p=quarantine; sp=reject; rua=mailto:dmarc@example.com

In this example, the main domain uses quarantine, while subdomains are instructed to use reject.

Re-check

Wrong vs correct setup

Wrong setup

Wrong setup
DNS TXT
v=DMARC1; p=quarantine; rua=mailto:dmarc@example.com

This is not invalid, but it does not define a separate subdomain policy. If you wanted subdomains to be treated differently, this record does not do that.

Correct setup

Correct setup
DNS TXT
v=DMARC1; p=quarantine; sp=reject; rua=mailto:dmarc@example.com

This is the correct pattern when you want a distinct subdomain policy. Subdomains can now be enforced more strictly than the parent domain.

Why this matters

Many organizations use subdomains for marketing, support, product notifications, or delegated senders. Those traffic types may need different enforcement timing or policy strength than the main brand domain.

Why this is a problem

  • Subdomains may inherit the wrong enforcement level.
  • Marketing or delegated senders can behave differently from the primary domain.
  • Lack of a subdomain policy can delay stronger protection where it is needed.
  • Teams may assume subdomains are handled separately when they are not.

How this affects deliverability

Subdomain policy matters when different mail streams have different readiness for enforcement. A thoughtful sp strategy helps protect the brand without forcing every subdomain into the same rollout path.

Common causes

  • Teams assumed subdomains were automatically treated differently.
  • Marketing and product mail used separate subdomains with different maturity levels.
  • Delegated sending domains needed stricter or looser enforcement than the parent domain.
  • The sp tag was never added during DMARC rollout.

What we checked

We reviewed whether the DMARC record includes an sp tag and whether the published subdomain policy matches the domain's intended enforcement strategy.

Live DNS lookup. No login. No saved domains. No tracking.

FAQ

Do subdomains inherit the main DMARC policy by default?

Yes. Without sp, subdomains inherit the main DMARC policy.

Should sp always match p?

Not necessarily. Some domains intentionally use a different policy for subdomains.

Can I make subdomains stricter than the main domain?

Yes. That is a common use case for the sp tag.

Next steps

  • Decide whether your subdomains need a separate enforcement level.
  • Add an sp tag only if a different subdomain policy is truly needed.
  • Review which subdomains actually send mail.
  • Monitor DMARC reports for parent and subdomain traffic separately.
  • Re-run the check after publishing the updated record.
  • Review the full troubleshooting guidance in the DMARC Hub.
  • Explore sender authorization issues in the SPF Hub.
  • Check signing and selector issues in the DKIM Hub.

Related fixes

Explore more issues