Which subdomains are sending email as your domain

The short version

• Your DMARC reports record the exact domain on every message, subdomains included. Most tools roll that up into your main domain, so you never see it.
• Three kinds of subdomain show up: ones you know, ones worth a look, and ones that are not in your DNS at all.
• You cannot always tell a forgery from a tool you forgot, and that is fine. The goal is to see them, then decide.
• Two DMARC settings close the gap: np for subdomains that do not exist, sp for the ones that do.

Why subdomains are a blind spot

Every row in a DMARC aggregate report carries the full From domain the message used, subdomains and all. The data is there. The problem is what most dashboards do with it: they group everything under the parent domain, or they make you add each subdomain as a separate, separately billed domain before they will show it to you. So the subdomain story sits in your reports, just not on your screen.

That matters because a lot of mail does not come from your apex domain. Marketing goes out from news.yourdomain.com, invoices from billing.yourdomain.com, app notifications from mail.yourdomain.com. Some of those are set up correctly. Some were stood up by a team that never told you, and never configured authentication. And some were never created by you at all.

Spoofers love subdomains

A From address does not have to exist in DNS to be written on a message. That is the whole trick behind subdomain spoofing, sometimes called SubdoMailing: attackers fan out across many invented subdomain names like login-7fq.yourdomain.com, each sending a little, specifically to slip past tools that only watch your main domain. To a parent-only dashboard it is invisible. In your raw reports, it is a cluster of subdomain names you have never heard of.

The three buckets, in plain English

• Known. Aligned mail from a subdomain you recognize. This is your real mail, authenticating normally.
• Worth a look. A subdomain that exists in your DNS but is sending mail that fails authentication. It could be a legitimate tool nobody set up for DMARC, or someone forging a real subdomain. Worth a human look.
• Not in your DNS. Mail claiming a subdomain that does not exist in your DNS. A forgery, or a tool you set up and forgot. We do not call it an attacker on your behalf, because a report cannot prove intent.

Telling a real one from a forgery

Here is the honest part: you often cannot, from the report alone. A message from a recognized mail provider is not proof of legitimacy, because shared sending platforms carry plenty of forged From addresses on the same infrastructure as real customers. So the useful signals are whether the subdomain actually exists in your DNS, and whether its mail aligns. The rest is your call, made with context a report does not have. For the wider triage of sources you do not recognize, see unknown senders, explained.

Closing the gap: np and sp

DMARCbis gives you two settings aimed squarely at subdomains. They are the fix once you can see the problem.

• np (non-existent-subdomain policy). Tells receivers to reject mail from subdomains that do not exist. It blocks the forged login-7fqnames with no effect on real mail. One caveat: a wildcard DNS record makes every subdomain "exist," which quietly neutralizes np.
• sp (subdomain policy). The policy for the subdomains that do exist. If your main policy is reject but sp is weaker, your real subdomains are less protected than your apex. Matching sp to your main policy closes that.

Both are a one-line DNS change, and both ride the same enforcement safety net as the rest of your record. For the full picture of what DMARCbis added, read what changed in DMARCbis.

How DMARC tools show you subdomains

Every major DMARC tool can surface some per-subdomain view. The real difference is how you get to it. Most either tax it per subdomain, making you add each one as a separate billed domain, or gate the per-subdomain report behind a sales-led enterprise plan. We include it on every plan, with the one-click np and sp fixes built in.

Provider	Subdomain visibility, and the catch
	Every subdomain that sends as you, on every plan. No per-subdomain billing, plus one-click fixes to close subdomain spoofing gaps.
PowerDMARC	Auto-detects subdomains on paid plans. Actively managing one, for hosted DKIM, counts as an additional billable domain.
EasyDMARC	Subdomain detection on paid plans. To monitor a subdomain on its own, you add it as a separate billable domain against your quota.
dmarcian	Subdomains roll up under the parent. To manage one on its own you promote it to a top-level domain, which uses a domain slot on a per-domain plan.
Valimail	A per-subdomain report, but only on the sales-led Enforce Premium and Enterprise tiers, and included on request.

All four offer some per-subdomain view; the difference is how you get to it. Taken from each vendor's own documentation, verified as of June 2026. Plans change, so check the vendor for current terms.

Want the full pricing picture? See how we compare.