
The np Tag: Stop Subdomain Spoofing You Never Send From
Most brands protect the domain they actually send from. Almost nobody protects the subdomains they don’t. That gap is exactly where a lot of phishing lives — and the new DMARC np tag, introduced with the DMARCbis standard published in May 2026, exists to close it.
If you manage email authentication for your organization, adding np is one of the highest-value, lowest-risk changes you can make this year. Here’s what it does and how to deploy it without breaking anything.
The problem: phantom subdomains
DMARC lets you set a policy for your main domain (p=) and for your real subdomains (sp=). But attackers rarely bother spoofing a subdomain you actively use, because that mail is more likely to be scrutinized. Instead they invent one.
Picture your domain is yourbrand.com. You send marketing from mail.yourbrand.com and nothing from secure-billing.yourbrand.com — because that subdomain doesn’t exist. An attacker sends a convincing invoice from secure-billing.yourbrand.com. Because the subdomain has no DNS records at all, older DMARC handling could be inconsistent about what policy applies, and the forged message had a better chance of slipping through.
Non-existent subdomains are attractive to bad actors precisely because no legitimate mail flows from them, so no one is watching.
What the np tag does
The np tag defines a DMARC policy that applies specifically to non-existent subdomains — subdomains that return an NXDOMAIN response, meaning they have no DNS records whatsoever. Like the primary policy, it accepts three values:
np=none— take no action (monitor only)np=quarantine— send failing mail to spamnp=reject— reject failing mail outright
A record using it looks like this:
v=DMARC1; p=quarantine; sp=quarantine; np=reject; rua=mailto:[email protected]
If np is absent, receivers fall back to sp for subdomains, and then to p. By adding np=reject, you tell the world that any mail claiming to come from a subdomain that doesn’t exist should be thrown away — no exceptions.
Why np is safer to enforce than p or sp
Moving your main policy to p=reject is a real project. You have to inventory every service that sends on your behalf, confirm alignment, and watch reports so you don’t accidentally reject your own legitimate mail.
np=reject carries almost none of that risk. By definition, non-existent subdomains send no legitimate mail — there’s nothing to break. That makes np=reject a rare authentication change you can adopt aggressively and early.
How to add the np tag: step by step
- Locate your existing DMARC record. It lives as a TXT record at
_dmarc.yourbrand.com. - Confirm your subdomain policy. Note your current
p=andsp=values so you don’t change enforcement on real subdomains unintentionally. - Append
np=rejectto the record. Keep your reporting address (rua=) so you continue receiving aggregate reports. - Publish and wait for propagation. DNS changes can take up to a day to fully propagate.
- Read your aggregate reports. New DMARCbis reports include an
npfield showing the policy applied, so you can confirm it’s working.
A quick caution worth knowing: not every authoritative name server correctly returns NXDOMAIN when a subdomain has no records. In practice this is rare for well-run DNS, but it’s the reason to monitor reports after deploying rather than assuming the tag is doing its job blindly.
np protects your identity. Verification protects your reputation.
Stopping spoofing is half the battle for a healthy sending domain. The other half is what you send and who you send it to. A domain that authenticates perfectly can still land in spam if it’s mailing invalid addresses, hitting spam traps, or generating complaints from disengaged contacts.
Those bounce and complaint signals shape your domain reputation directly — and a poor reputation undermines the trust your authentication is supposed to build. Verifying your list before you send keeps bounces low and complaints under provider thresholds, so the reputation that np helps defend actually stays worth defending.
Verify before you send
The np tag stops attackers from impersonating you. Clearalist stops your own list from hurting you — removing invalid addresses, spam traps, and risky contacts before they drag down your sender reputation.
Start free — verify 1000 emails, no credit card required →
Frequently asked questions
What is a non-existent subdomain in DMARC terms? It’s a subdomain that returns an NXDOMAIN DNS response — it has no DNS records at all. The np tag applies specifically to mail claiming to originate from these.
Is np=reject safe to enable immediately? For most senders, yes. Non-existent subdomains produce no legitimate mail, so rejecting forged mail from them rarely affects real messages. Monitor your aggregate reports to confirm.
Do I still need sp and p if I use np? Yes. np only covers subdomains that don’t exist. sp governs your real subdomains and p governs your main domain. They work together.
Will the np tag work if my provider doesn’t support DMARCbis yet? Receivers that haven’t adopted the new standard fall back to sp/p behavior. As support rolls out over the multi-year transition, np enforcement becomes more consistent.
Does adding np help my deliverability? Indirectly. Reducing spoofing protects your domain’s reputation and trust signals, which support inbox placement over time.