How DMARC handles subdomains and the sp tag

1
How DMARC handles subdomains and the sp tag

• Basics of DMARC Enforcement 
• DMARC is a strong technique for preserving email
  sender identity. Among many other advantages,
  when correctly implemented, it protects your
  domain from exact-domain spoofing, which is a
  tactic employed by the vast majority of corporate
  email compromises (BEC).
• However, the term enforcement is not without
  complexity. For DMARC enforcement, your corporate
  domain and all its subdomains must have a
  quarantine policy or a reject policy, and the
  percentage parameter, if utilized, must be set to
  100. If even one subdomain is not enforced, the
  entire domain is not enforced.

2

• Why is there such a strong preference for
  subdomains to be enforced? The answer is
  straightforwardbecause any subdomain, no matter
  how obscure, can be used to impersonate someone.
• On how to handle subdomain policies, DMARC
  includes a fairly precise set of rules. We
  discussed how DMARC handles subdomains in email
  addresses in a previous post in this piece,
  we'll look at particular subdomain policies
  specified with the sp tag.

3
First, some context. 

• DMARC addresses a significant issue with prior
  authentication systems, SPF and DKIM, by
  mandating alignment between the domains certified
  by those standards and the domain indicated in
  the message's From field. In other words, the
  domain that a human receiver sees in the visible
  From field must be the same domain that SPF or
  DKIM has validated.
• If a message fails authenticationeither because
  it fails SPF or DKIM, or because the From field
  does not match the domain authorized by SPF or
  DKIMthe mail receiver acts on the message in
  accordance with the specified policy in the DMARC
  record.

4
Policy TagsThe p tag

• The DMARC p tag is used by domain owners to
  describe the policy they want mail recipients to
  apply to any communications that fail
  authentication.
• They will get DMARC reports if they keep it at
  the default value of pnone, but they will be
  vulnerable to spoofing. The pnone parameter
  instructs receivers to handle messages that fail
  authentication the same way they treat messages
  that pass authentication, that is, to send them
  normally.
• Enforcement entails employing a policy of
  pquarantine which instructs receivers to mark
  any communications that fail authentication as
  spam, or preject which tells receivers to
  delete those messages entirely.

5
The sp tag

• Unless a DMARC record has been published for a
  single subdomain, the DMARC policy specified for
  an organizational domain will apply to all
  subdomains by default. Domain owners, on the
  other hand, can use the sp tag to specify
  distinct rules for all subdomains (for subdomain
  policy).
• It has the same syntax as the p tag. spnone
  instructs mail recipients that, regardless of the
  policy selected for the organizational domain,
  they should employ a policy of none for
  subdomains. Receivers are told to quarantine
  failed messages from subdomains when they see
  spquarantine, and they are told to reject them
  when they see spreject.

6
Implementing the Policies

• It should be evident why subdomains require
  enforcement policies to be safeguarded. Spoofers
  can send messages from email.company.com if
  company.com is set to preject but
  email.company.com is set to pnone. In this
  situation, even with an organizational
  preject, spoofers may mimic the brand and
  create all of the issues that DMARC is supposed
  to alleviate since DMARC was not implemented
  consistently across the domain.
• Your organization may not utilize subdomains to
  send an email, but receivers are unaware. As a
  result, these subdomains can be just as effective
  as the main domain as impersonation vectors. In
  this scenario, DMARC is similar to sunscreen. It
  is only effective where it is administered. You
  must use it everywhere.
• Moreover, it's quite simple to accomplish. Put
  preject on your corporate domain and don't
  change it on any subdomains. Now you're
  completely safe, and no one can send an email
  impersonating you without your specific
  permission.
• This may seem self-explanatory, but we regularly
  encounter unprotected subdomains that might
  negate the anti-impersonation and anti-fraud
  advantages of bringing DMARC to enforcement.

7

• Furthermore, if the brand-enhancing features of
  BIMI are of importance to you, you must have
  DMARC enforced on your organizational
  domainwithout spnonein order to benefit from
  this new standard.Take precautions. Keep your
  brand safe. Keep your consumers safe. Keep your
  staff safe. Don't make your subdomains vulnerable
  to impersonation. Learn to set up DMARC with
  EmailAuth easily. It has a simplified DMARC
  solution that protects your domain from attacks.
  The setup guide is available on EmailAuth. Head
  over NOW to check it out!