DMARC sp Tag

What is the DMARC sp Tag?

The DMARC sp tag defines the policy that applies to subdomains of a domain when evaluating DMARC authentication results. It allows domain owners to set a different enforcement level for subdomains than for the main organizational domain. This tag is optional but especially useful for organizations that want tighter or looser control over subdomain mail behavior.

For example, a company may publish a DMARC record that enforces a reject policy on the root domain but uses a more permissive quarantine or none policy for its subdomains. This flexibility helps administrators gradually deploy DMARC enforcement across complex domain structures without interrupting legitimate mail flow.

How the DMARC sp Tag Works

The sp tag is included as part of the DMARC TXT record in the domain’s DNS configuration. Its syntax follows this format:

In this example, the primary domain uses a reject policy (p=reject), while all subdomains use a quarantine policy (sp=quarantine). Messages sent from any subdomain that fail DMARC authentication will be quarantined rather than rejected outright.

Accepted sp tag values include:

• sp=none – No enforcement; mail is monitored but not filtered
• sp=quarantine – Suspicious mail is delivered to spam or quarantine folders
• sp=reject – Unauthorized mail from subdomains is rejected entirely

If the sp tag is omitted, subdomains automatically inherit the main domain’s DMARC policy.

Use Cases and Best Practices

The DMARC sp tag is particularly useful for large organizations, brands with multiple subdomains, or any business using third-party mail services. It lets them fine-tune protection levels and gradually transition toward stricter enforcement.

Common scenarios include:

• Using sp=none while testing subdomain authentication
• Applying sp=quarantine to reduce risk without blocking mail during rollout
• Setting sp=reject once all legitimate subdomain senders pass DMARC
• Isolating vendor-specific subdomains with different policies for delegated mail streams

To maintain consistency, ensure that every subdomain also has valid SPF and DKIM configurations that align with the organizational domain. Regularly reviewing aggregate DMARC reports (rua) helps confirm that legitimate subdomain traffic is authenticating successfully.

DMARC sp Tag and DMARCeye

DMARCeye provides full visibility into how your subdomain policies are applied and enforced. It tracks the effects of the sp tag across all domains, showing which subdomains are passing, quarantined, or rejected under your DMARC configuration.

The platform’s reporting engine highlights inconsistencies between primary and subdomain policies and recommends adjustments to ensure smooth enforcement. By monitoring authentication results in real time, DMARCeye enables a safe, phased rollout of DMARC protection across every corner of your domain hierarchy.

Sign up for a free trial of DMARCeye today and secure your email domain.

To learn more about DMARC and DMARC-related terms, explore the DMARCeye Glossary.