How to ensure your DMARC record is not inherited by a domain's sub-domains

There are two different tactics to take if you do not want the same policy level on a parent domain's sub-domains: 

  • Create an explicit Domain-based Message Authentication, Reporting, and Conformance (DMARC) record for any sub-domain and specify the policy level you require. 
  • Use the sp tag on your parent domain's DMARC record to specify what policy level you would like your sub domains to have, rather than inheriting from the parent domain.

For example, you can add sp=none to the parent domain's DMARC reject policy so that none of your sub domains inherit the reject policy until you are ready to implement. In this case, a full record example would look like the following: 

v=DMARC1; p=reject; sp=none; fo=1;;



Was this article helpful?
0 out of 0 found this helpful
Have more questions? Submit a request