DMARC Subdomain Policy Not Working (When sp= Ignores Expectations)

The `sp=` tag sets a default policy for subdomains of the DMARC record owner when no separate DMARC record exists on each child host. It does not override organisational domain alignment magically: mail from `news.brand.com` must still align through SPF or DKIM to the domain shown in the From header. Teams expect `sp=reject` at `_dmarc.brand.com` to block all child-domain spoofing instantly, yet messages can still pass DMARC when a phisher uses `From: phish@brand.com` with misaligned authentication—because `sp` never triggers. Another confusion: publishing DMARC on `sub.brand.com` with its own tags while forgetting apex `sp`, yielding asymmetric enforcement that looks ‘broken’ during testing. Often the first step is confirming you even have a DMARC record and that the policy value matches your enforcement goal.

Updated for 2026 to reflect current Gmail, Outlook, and Yahoo behavior.

If policies are not enforced, review the DMARC setup guide.

Learn the bigger picture in our Email Authentication Explained guide and compare SPF vs DKIM vs DMARC to understand how these protocols work together.

Quick answer

`sp` applies when mail uses subdomains of the organisational domain—check which domain is the DMARC authority.
Subdomains can publish independent `_dmarc` records that supersede inherited `sp`.
Alignment uses authenticated domains, not arbitrary substrings in display names.
Testing with the wrong From domain makes `sp` look inert.

One-Minute Fix

Inventory which domain appears in From, publish DMARC at the matching organisational boundary, set `sp` intentionally, and add dedicated `_dmarc` children only when a subdomain needs divergent policy. Validate with aggregate reports filtered by `header_from` and `policy_evaluated`.

Apex policy with subdomain override

DNS TXT

_dmarc.brand.com TXT "v=DMARC1; p=reject; sp=quarantine; rua=mailto:dmarc@brand.com"

`sp` governs unprotected subdomains lacking their own DMARC while `p` governs the organisational domain presence.

Run free check

Free live DNS check. No signup required.

Wrong vs correct setup

Mis-set expectations

Plain text

Expect sp=reject to stop brand.com spoofing

Organizational domain spoofing is controlled by `p` and alignment—not by `sp` alone.

Targeted child policy

DNS TXT

_dmarc.mail.brand.com TXT "v=DMARC1; p=none; rua=mailto:subs@brand.com"

Explicit child `_dmarc` records let newsletters operate under different enforcement while keeping apex strict.

Why sp= surprises teams

DMARC’s inheritance rules are subtle; documentation often compresses them into a single bullet. Product managers then simulate attacks using the wrong From domain and declare DMARC defective. Misaligned authentication paths often show up as DMARC alignment failures or a reporting address that never receives data.

Operational misunderstandings

False confidence that marketing subdomains inherit apex `p=reject` without alignment checks.
Legitimate mail from regional subdomains suddenly quarantined after tightening `sp`.
Duplicate `_dmarc` records causing parse ambiguity at children.
Vendor mails using bounce subdomains not aligned with expectation.

Deliverability angle

When `sp` tightens before sources authenticate subdomains, DMARC ‘fails’ legitimate campaigns—better described as intended enforcement, not DNS breakage. Over time, well-tuned DMARC aggregate reports and a clear policy stance are what help inbox providers separate your legitimate traffic from spoofing attempts.

Common causes

No child `_dmarc` for high-volume marketing hostnames.
Confusing organisational vs subdomain boundaries in multi-brand holding companies.
Assuming `sp` changes alignment mode—it does not; `aspf`/`adkim` do.
Testing DMARC from tools that do not show policy_applied versus evaluated.

What we checked

We validate the organisational `_dmarc` TXT and interpret `sp` relative to your declared From domains. Cross-domain tests require distinct checks per sending pattern.

Live DNS lookup. No login. No saved domains. No tracking.

FAQ

Should sp equal p eventually?

Often, yet marketing ecosystems may warrant softer `sp` while apex stays reject—decide via reports.

Does CNAME flattening affect _dmarc?

If `_dmarc` is CNAMEd improperly, you might read someone else’s policy—verify authoritative answers.

What about internationalised domains?

Use punycode consistently when publishing DMARC; alignment follows IDNA rules per receiver.

Next steps

Map each sending service to its From domain and subdomain usage.
Publish explicit `_dmarc` rows for exceptions.
Tune `sp` only after `rua` confirms impact.
Communicate changes to marketing partners with example Authentication-Results.
Revisit after acquisitions merge DNS zones.
Review the full troubleshooting guidance in the DMARC Hub.
Explore sender authorization issues in the SPF Hub.
Check signing and selector issues in the DKIM Hub.