Red Bridge CyberRed Bridge Cyber
Customer Login
What We CheckHow It WorksPricingResearchAboutBlogCustomer Login

What is the DMARC sp= tag and does my policy cover subdomains?

sp= is the optional DMARC tag that sets a separate policy for your subdomains. Without it, every subdomain inherits the policy from your main record's p= tag — so a domain sitting at p=none leaves its subdomains unenforced too. That inheritance matters because spoofers move to subdomains once the main domain is protected: an email claiming to come from accounts.yourbusiness.com.au sails through any gap you leave there. The 2 common setups:

  • You send no email from subdomains (most small businesses) — add sp=reject, so anything claiming to come from a subdomain is refused outright, even while your main policy is still ramping up through p=none or p=quarantine
  • You do send from subdomains (newsletter.yourbusiness.com.au, for example) — leave sp= out so subdomains inherit p=, or set it explicitly once each sending subdomain's SPF and DKIM are in place

Check yours with MXToolbox's DMARC lookup — the parsed record shows the sp tag when one is present. If you send no subdomain mail, sp=reject is a free hardening step you can add today.