DMARC allows domain owners to control how authentication failures are handled for both organizational domains and their subdomains using policy tags.
P tag
The p tag specifies the DMARC policy to be applied to messages that fail DMARC authentication for the organizational (top-level) domain.
By default, this policy also applies to all subdomains, unless overridden.
Example : v=DMARC1; p=quarantine; rua=mailto:CustomID@rua.tdmarc.com; ruf=mailto:name@abc.com; f=0;
Explanation:
-
p=quarantineapplies to the top-level domain -
The same policy also applies to all subdomains by default
2. sp Tag
The sp tag allows domain owners to define a separate DMARC policy specifically for subdomains.
If sp is not defined, subdomains inherit the policy defined by p.
Example : v=DMARC1; p=quarantine; sp=none; rua=mailto:CustomID@rua.tdmarc.com; ruf=mailto:name@abc.com; f=0;
Explanation:
-
Top-level domain policy:
p=quarantine -
Subdomain policy:
sp=none -
Subdomains are monitored only, while the main domain enforces quarantine.