DMARC np= Tag — Non-existent Subdomain Policy (np)

The DMARC np tag (RFC 9989) sets the policy for mail from subdomains that do not exist in DNS (NXDOMAIN). Closes a spoofing loophole for random non-existent subdomains.

Importance
Optional
Tag
np=
Default
Inherits from sp= or p=
Example
np=reject

✅ Valid Values

none No action for non-existent subdomains.
quarantine Quarantine mail from non-existent subdomains.
reject Reject mail from non-existent subdomains.

💬 What This Tag Does

Added in RFC 9989 (DMARCbis), the "np" tag specifies the policy for emails from subdomains that don't exist in DNS at all. Before DMARCbis, attackers could spoof addresses like random123.example.com — a subdomain with no DNS records — and potentially slip past subdomain policy checks. Setting np=reject blocks this loophole specifically for non-existent subdomains without affecting your real subdomains.

📚 RFC References

RFC 9989 — DMARC (DMARCbis)

🔗 Related DMARC Tags

sp=
Subdomain Policy (sp)
 p=
Policy (p)

🛡️ Check Your DMARC Record

Analyse your current DMARC record or build a new one with the right tags.

DMARC Analyser → DMARC Builder → ← All DMARC Tags