Your organizational domain is at p=reject, but attackers still spoof mail from subdomains you never use — a real one like news.yourdomain.com, or an invented one — and it reaches inboxes.
The sp= tag sets policy for subdomains, but it's a blunt instrument. RFC 7489 §6.3 says a subdomain with no DMARC record inherits the organizational policy — yet in practice some receivers, faced with a non-existent (NXDOMAIN) subdomain, don't walk up to the parent and treat it as “no policy”, letting the spoof through. Omit sp= and subdomains fall back to your p=; invented subdomains stay the weak spot. DMARCbis adds a dedicated np= (non-existent-subdomain) tag precisely to close this — np=reject blocks mail from subdomains that don't exist in DNS. Source: RFC 7489 §6.3 · verified 2026-07-15
sp=reject to your organizational DMARC record.np=reject (DMARCbis) to block invented, non-existent subdomains outright.DNS changes propagate within minutes to 48 hours. Mailbox providers pick up the new records on their next check — most senders see bounces stop within a day of correct configuration.
Formal enforcement targets bulk senders, but partial authentication already costs you inbox placement at every volume — and spoofing protection matters regardless of how much you send.
Hosting support can add DNS records for you, but they don't know which services send as your domain. You (or a monitoring tool reading your DMARC reports) have to provide that list — that's the actual hard part.