How to fix “unprotected subdomain (sp=/np=)” from DMARC policy

Your organizational domain is at p=reject, but attackers still spoof mail from subdomains you never use — a real one like news.yourdomain.com, or an invented one — and it reaches inboxes.

Check your domain first — 10 seconds, free, no signup.
See your DMARC policy, SPF lookup count and every issue explained in plain English.
Run the free check →

What this means

The sp= tag sets policy for subdomains, but it's a blunt instrument. RFC 7489 §6.3 says a subdomain with no DMARC record inherits the organizational policy — yet in practice some receivers, faced with a non-existent (NXDOMAIN) subdomain, don't walk up to the parent and treat it as “no policy”, letting the spoof through. Omit sp= and subdomains fall back to your p=; invented subdomains stay the weak spot. DMARCbis adds a dedicated np= (non-existent-subdomain) tag precisely to close this — np=reject blocks mail from subdomains that don't exist in DNS. Source: RFC 7489 §6.3 · verified 2026-07-15

How to fix it

Step 1. If you never send from subdomains, add an explicit sp=reject to your organizational DMARC record.
Step 2. Where your receivers honor it, add np=reject (DMARCbis) to block invented, non-existent subdomains outright.
Step 3. For real sending subdomains (news., mail.), authenticate them first, then bring them to enforcement like the parent.
Step 4. Watch aggregate reports for subdomain sources you don't recognise — that's spoofing probing your gaps.

Frequently asked

How long until fixes take effect?

DNS changes propagate within minutes to 48 hours. Mailbox providers pick up the new records on their next check — most senders see bounces stop within a day of correct configuration.

Does this apply if I send fewer than 5,000 emails a day?

Formal enforcement targets bulk senders, but partial authentication already costs you inbox placement at every volume — and spoofing protection matters regardless of how much you send.

Can I just ask my hosting provider to fix it?

Hosting support can add DNS records for you, but they don't know which services send as your domain. You (or a monitoring tool reading your DMARC reports) have to provide that list — that's the actual hard part.

Don't want to babysit DNS records?
DMARCKeeper monitors your reports, names every sender, and walks you to full p=reject protection.
Start free monitoring →