We have p=reject on the apex but subdomains are being spoofed
Without sp= DMARC falls back to the apex policy for subdomains, but only if those subdomains have no DMARC record of their own. In practice many organisations publish sp=reject explicitly to make sure unused subdomains can't be spoofed either.
Try this first
- 1Add sp=reject to your DMARC record on _dmarc.yourdomain.com. Example: v=DMARC1; p=reject; sp=reject; rua=mailto:dmarc@yourdomain.com
- 2List which subdomains actually send mail, for example news.yourdomain.com for your ESP. For those publish a dedicated _dmarc record with SPF and DKIM for the ESP.
- 3Unused subdomains (old marketing domains, test., etc.) need nothing extra, sp=reject covers them.
- 4Optional: publish null MX records (MX 0 .) on subdomains that never receive mail, RFC 7505. That blocks backscatter.
- 5Verify with dig txt _dmarc.yourdomain.com that the policy is correct and monitor DMARC reports on those subdomains.
When to bring us in
If you have dozens of active subdomains with their own mail flows, it pays to map the full DNS zone before setting sp=reject.
See also
- Our emails land in spam for some recipientsAlmost always an SPF, DKIM, or DMARC setting that is wrong or missing, or a sender name that mimics a well-known brand.
- Someone reports receiving phishing emails "from us"Read: spoofing. Someone is abusing your sender name, not necessarily your actual mailbox.
- An email bounces (NDR): delivery failedThe NDR text usually states the exact reason. Reading it is step one.
None of the above fits?
Describe your situation below. We pass your input plus the steps you already saw to our AI and return tailored next-step advice. If it's too risky to DIY, we'll say so.
Or skip the DIY entirely
Our Managed IT clients do not look these things up. One point of contact, a fixed monthly price, resolved within working hours.