Quick Answer

By default, your root domain's DMARC record applies to all subdomains. Control subdomain policy with the sp= tag: sp=none (subdomains monitored only), sp=quarantine, sp=reject. Or publish a separate DMARC record on individual subdomains for independent policies. Common setup: root domain at p=reject (fully enforced) with sp=none (subdomains still being configured). Advance sp= alongside p= as you authenticate each subdomain.

DMARC for Subdomains: sp= Tag and Policy Inheritance

By Braedon·Mailflow Authority·Email Authentication·Updated 2026-03-31

How Subdomain DMARC Works

Inheritance (Default)

_dmarc.yourdomain.com  TXT  v=DMARC1; p=reject; rua=mailto:[email protected]

With no sp= tag:

  • yourdomain.com → p=reject
  • marketing.yourdomain.com → inherits p=reject
  • mail.yourdomain.com → inherits p=reject
  • ANY.yourdomain.com → inherits p=reject

With sp= Tag

_dmarc.yourdomain.com  TXT  v=DMARC1; p=reject; sp=none; rua=mailto:[email protected]
  • yourdomain.com → p=reject (fully enforced)
  • marketing.yourdomain.com → sp=none (monitoring only)
  • mail.yourdomain.com → sp=none (monitoring only)

This protects the root domain while subdomains are still being configured.

Per-Subdomain Override

_dmarc.yourdomain.com             TXT  v=DMARC1; p=reject; sp=none
_dmarc.marketing.yourdomain.com   TXT  v=DMARC1; p=reject
_dmarc.mail.yourdomain.com        TXT  v=DMARC1; p=quarantine
  • yourdomain.com → p=reject
  • marketing.yourdomain.com → p=reject (its own DMARC overrides sp=none)
  • mail.yourdomain.com → p=quarantine (its own DMARC)
  • support.yourdomain.com → sp=none (inherits from parent)

Common Scenarios

Scenario 1: Root Domain Enforced, Subdomains Not Yet Ready

_dmarc.yourdomain.com  TXT  v=DMARC1; p=reject; sp=none; rua=mailto:[email protected]

Root is protected. Subdomains are monitored but not enforced. Work through subdomain authentication at your pace.

Scenario 2: Everything Enforced

_dmarc.yourdomain.com  TXT  v=DMARC1; p=reject; rua=mailto:[email protected]

No sp= tag → subdomains inherit p=reject. Only safe when ALL subdomains that send email have proper authentication.

Scenario 3: Gradual Subdomain Enforcement

_dmarc.yourdomain.com             TXT  v=DMARC1; p=reject; sp=quarantine
_dmarc.marketing.yourdomain.com   TXT  v=DMARC1; p=reject  (authenticated, full enforcement)

Root at reject. Default subdomains at quarantine. Specific authenticated subdomains overridden to reject.

The Advancement Path for Subdomains

  1. Start: p=reject; sp=none — root protected, subdomains monitored
  2. Authenticate each subdomain: SPF, DKIM for each sending subdomain
  3. Verify in DMARC reports: All subdomain senders pass authentication
  4. Advance: sp=quarantine → then sp=reject
  5. Or: Publish individual subdomain DMARC records for fine-grained control

Common Mistakes

  1. Setting p=reject without sp= when subdomains send email. Subdomains inherit reject → unauth subdomain email is blocked.
  2. Forgetting that non-email subdomains are affected. Even subdomains that don't send email are subject to DMARC. If someone spoofs a non-email subdomain, the policy applies.
  3. Not checking subdomain DMARC reports. Subdomain authentication failures appear in the parent domain's DMARC reports. Review them.

Practitioner note: When I advance DMARC to p=reject, I always set sp=none initially. This protects the root domain while giving me time to audit all subdomains. It's surprising how many subdomains send email — marketing, support, notifications, monitoring alerts. Each needs authentication before sp= can be advanced.

Practitioner note: The per-subdomain override is powerful for agencies. Each client's subdomain (marketing.clienta.com) can have its own DMARC policy independent of the parent domain. As each client's authentication is verified, their subdomain advances to p=reject independently.

For the full DMARC advancement process, see the DMARC setup guide. For DNS configuration details, see the DNS configuration guide. If you need DMARC configured across multiple subdomains, schedule a consultation.

Sources

  • RFC 7489: DMARC (Section 6.6.3 — Subdomain Policy)
  • dmarcian: Subdomain Policy

v1.0 · March 2026

Frequently Asked Questions

Does my DMARC record automatically apply to subdomains?

Yes. If you publish DMARC on yourdomain.com, it applies to all subdomains (marketing.yourdomain.com, mail.yourdomain.com, etc.) by default. The policy applied is the sp= tag value, or if sp= is absent, the p= value.

What is the sp= tag?

sp= (subdomain policy) controls what happens when email from subdomains fails DMARC. sp=none: monitor only. sp=quarantine: send to spam. sp=reject: block. If sp= is absent, subdomains inherit the p= policy. Use sp= when you want different policies for subdomains vs root domain.

Can I set different DMARC policies for different subdomains?

Yes. Publish a DMARC record directly on the subdomain: _dmarc.marketing.yourdomain.com TXT v=DMARC1; p=reject. This overrides the parent domain's sp= policy for that specific subdomain. Useful when some subdomains are fully authenticated and others aren't.

Should I start with sp=none even if my root is at p=reject?

Yes, if you have subdomains that send email and haven't verified their authentication. A root domain at p=reject with sp=reject will block subdomain email that fails authentication. Start sp=none → verify subdomain auth → advance sp= to match p=.

What if I don't have the sp= tag?

If sp= is absent, subdomains inherit the p= value. If p=reject and no sp= tag: subdomains are also at reject. This is fine if all subdomains are authenticated. Risky if any subdomain sends unauthenticated email.

Want this handled for you?

Free 30-minute strategy call. Walk away with a plan either way.

Related Articles

ARC: Solving the DMARC Problem with Email Forwarding

ARC Sealing Explained: How Intermediaries Preserve Authentication

BIMI on Apple Mail: How It Differs from Gmail

BIMI on Gmail: Requirements and Timeline

What is BIMI? Complete Guide to Brand Indicators for Message Identification