--- title: "DMARC Policies Explained: How to Choose the Right Policy for Your Domain | DMARC Report" description: "DMARC Policies Explained: How to Choose the Right Policy for Your Domain from DMARC Report explains practical steps for email authentication, domain." image: "https://dmarcreport.com/og/blog/dmarc-policies-explained-how-to-choose-the-right-policy-for-your-domain.png" canonical: "https://dmarcreport.com/blog/dmarc-policies-explained-how-to-choose-the-right-policy-for-your-domain/" --- Quick Answer Listen to this blog post below Share [ ](https://www.linkedin.com/sharing/share-offsite/?url=undefined%2Fblog%2Fdmarc-policies-explained-how-to-choose-the-right-policy-for-your-domain%2F "Share on LinkedIn") [ ](https://twitter.com/intent/tweet?text=DMARC%20Policies%20Explained%3A%20How%20to%20Choose%20the%20Right%20Policy%20for%20Your%20Domain&url=undefined%2Fblog%2Fdmarc-policies-explained-how-to-choose-the-right-policy-for-your-domain%2F "Share on X/Twitter") [ ](https://www.facebook.com/sharer/sharer.php?u=undefined%2Fblog%2Fdmarc-policies-explained-how-to-choose-the-right-policy-for-your-domain%2F "Share on Facebook") [ ](https://reddit.com/submit?url=undefined%2Fblog%2Fdmarc-policies-explained-how-to-choose-the-right-policy-for-your-domain%2F&title=DMARC%20Policies%20Explained%3A%20How%20to%20Choose%20the%20Right%20Policy%20for%20Your%20Domain "Share on Reddit") [ ](mailto:?subject=DMARC%20Policies%20Explained%3A%20How%20to%20Choose%20the%20Right%20Policy%20for%20Your%20Domain&body=Check out this article: undefined%2Fblog%2Fdmarc-policies-explained-how-to-choose-the-right-policy-for-your-domain%2F "Share via Email") ![DMARC Policies Explained: How to Choose the Right Policy for Your Domain](https://media.mailhop.org/dmarcreport/images/2022/04/dmarc-record-6071.jpg) ## Try Our Free DMARC Checker Validate your DMARC policy, check alignment settings, and verify reporting configuration. [ Check DMARC Record → ](/tools/dmarc-checker/) Listen to this blog post below > DMARC reporting without automation is like watching security cameras without recording, says Brad Slavin, General Manager of DuoCircle. You see the threats in real time but you can’t go back and investigate. DMARC Report captures and classifies every aggregate and forensic report so your security team has a complete audit trail. DMARC ([RFC 7489](https://datatracker.ietf.org/doc/html/rfc7489)) ties SPF and DKIM together by requiring alignment between the envelope sender and the visible `From` header. According to Google’s February 2024 bulk sender requirements, a DMARC policy of at least `p=none` is now mandatory for any domain sending 5,000+ messages per day to Gmail users. As a domain owner, you choose the power of [DMARC](https://dmarcreport.com/), and its strength is entirely in your hands. However, you must stay informed before picking the \*\*best DMARC policy for your domain. Although there is no right or wrong way to choose a DMARC policy (because it depends on the organization’s needs), some policies help mailbox providers more in filtering malicious messages and **stopping brand spoofing**. It depends on how domain owners choose the [DMARC policy](https://dmarcreport.com/dmarc-policy/). ## What Is DMARC? \_As an email authentication protocol, DMARC (Domain-based Message Authentication, Reporting, and Conformance) prevents malicious actors from spoofing your domain. \_It works combined with two other robust authentication tools, [DKIM](https://dmarcreport.com/blog/dkim-explained-how-dkim-works-and-why-is-dkim-important-for-organizations/) (DomainKeys Identified Mail) and [SPF](https://dmarcreport.com/what-is-spf/) (Sender Policy Framework), to verify the **authenticity of an email**. As of 2025, DMARC is mandatory under multiple compliance frameworks. [CISA BOD 18-01](https://www.cisa.gov/news-events/directives/bod-18-01) requires p=reject for US federal domains. [PCI DSS v4.0](https://www.pcisecuritystandards.org/) mandates DMARC for organizations processing payment card data as of March 2025\. Google and Yahoo require DMARC for bulk senders (5,000+ messages/day) since February 2024, and [Microsoft began rejecting](https://learn.microsoft.com/en-us/defender-office-365/email-authentication-dmarc-configure) non-compliant email in May 2025\. The UK [NCSC](https://www.ncsc.gov.uk/collection/email-security-and-anti-spoofing), Australia’s [ASD](https://www.cyber.gov.au/resources-business-and-government/essential-cyber-security/ism/cyber-security-guidelines/guidelines-email), and Canada’s [CCCS](https://www.cyber.gc.ca/en/guidance/implementation-guidance-email-domain-protection) all mandate DMARC for government domains. Cyber insurers increasingly require DMARC enforcement as an underwriting condition. ![Dmarc office](https://media.mailhop.org/dmarcreport/images/2023/07/dmarc-office-365.jpg) In simple words, DMARC helps recipients identify if an email originates from a domain unapproved by the organization and instructs them as to what to do with the unauthorized emails . A domain owner publishes the DMARC policies in its DNS as a **TXT record**. ## Which Options Do You Have for Setting the DMARC Policy? As a domain owner, you will have \*\*three options to set up your DMARC policy: ## 1\. p=none When using this policy, you will not make any decision about the emails. Instead,\_ \_the judgment of the mailbox provider prevails concerning the \*\*approval or rejection of an email failing authentication. Mostly, the mailbox providers will not take any action for emails failing authentication. They will deliver the emails unless it is evident that they are [spam](https://backendnews.net/apt-groups-use-spam-emails-to-launch-attacks-kaspersky/). ## 2\. p=quarantine If an email fails authentication, the ‘_p=quarantine’_ policy will instruct the mailbox providers to \*\*move it to junk or spam folders. These messages can also get blocked. ## 3\. p=reject The **most robust DMARC policy**, it will ensure all [malicious emails](https://www.computerweekly.com/news/252514025/BBC-blasted-with-millions-of-malicious-emails) are stopped. If a message fails the DMARC check, the ‘\_p=reject’ \_policy prevents it from being delivered. ## _p=quarantine:_ What to Expect? With the ‘p=quarantine’ policy, you instruct mailbox providers to move emails that fail the \*\*DMARC check to the recipient’s spam folder. You must remember two important details about these DMARC policies: - The recipient can accept these messages and treat them as spam. They will go to the recipient’s \*\*spam folder for consumer-oriented [mailboxes](https://cybersecuritynews.com/hackers-exploit-zimbra-vulnerability/) (e.g., gmail.com, yahoo.com, hotmail.com). For a business-oriented mailbox (e.g., Google Workgroups, Microsoft 365, Mimecast), these messages can land in a \*\*quarantine folder managed by their IT staff. - Only the recipients witness the impact of \_the ‘p=quarantine’ \_policy. _The senders do not receive notifications; Recipients will notice that the email is being treated as spam_. ## \_p=reject: \_What to Expect? This DMAR policy instructs the recipient mailbox to **reject the email permanently**, and the sending server receives a 5XX series[hard bounce](https://www.campaignmonitor.com/resources/glossary/hard-bounce/#:~:text=A%20hard%20bounce%20is%20an,or%20the%20recipient%20is%20unknown.)) message. Many users consider ‘\_p=reject’ _the_ \_best DMARC policy as it is a \*\*robust protection from unauthenticated emails, including malicious emails and [shadow IT](https://www.forcepoint.com/cyber-edu/shadow-it), that may originate in your domain’s name. ![Gmail dmarc](https://media.mailhop.org/dmarcreport/images/2023/07/gmail-dmarc-7584.jpg) ## Why Is _p=none_ Policy Not Recommended? A ‘_p=none’_ policy means \*\*no action is taken to stop [phishing](https://dmarcreport.com/blog/phishing-smishing-vishing-everything-you-need-to-know/) attacks and protect the information system from malicious emails. Deploying \_‘p=quarantine’ \_or _‘p=reject’_ policies will reflect the true character of DMARC. It would be best to use the _‘p=none’_ policy only \*\*when testing whether your DMARC policies are working correctly and avoid it in practical operational scenarios. ## Final Words: Setting DMARC Policy for Your Domain With the correct information, you can now choose a DMARC policy suitable for your domain. A \*\*policy escalation could be the best suggestion instead of directly jumping to the ‘_p=reject_’ policy. It is safer to start with ‘_p=none’_ and gradually move to ‘_p=quarantine_.’ It is so because ‘_p=none’_ will deliver all your emails to the recipients, and you can analyze the reports and \*\*monitor the emails sent from your domain. Thus, you can segregate authentic sources from unauthentic ones without affecting [deliverability](https://www.entrepreneur.com/growing-a-business/3-ways-to-improve-your-email-deliverability-during-the/440634). Subsequently, you can move to other policies based on your observations about the incoming emails. ## Sources - [CISA Binding Operational Directive 18-01](https://www.cisa.gov/news-events/directives/bod-18-01) - [Microsoft Outlook DMARC Enforcement May 2025](https://learn.microsoft.com/en-us/defender-office-365/email-authentication-dmarc-configure) (2025) - [PCI DSS v4.0 - DMARC Requirement](https://www.pcisecuritystandards.org/) (2025) - [RFC 7489 - Domain-based Message Authentication, Reporting, and Conformance (DMARC)](https://datatracker.ietf.org/doc/html/rfc7489) ## Topics [ dmarc record ](/tags/dmarc-record/)[ dmarc record policy ](/tags/dmarc-record-policy/)[ email security ](/tags/email-security/) ![Vishal Lamba](https://media.mailhop.org/dmarcreport/images/team/vishal-lamba.jpg) [ Vishal Lamba ](/authors/vishal-lamba/) Content Specialist Content Specialist at DMARC Report. Writes vendor-specific email authentication guides and troubleshooting walkthroughs. [LinkedIn Profile →](https://www.linkedin.com/in/vishal-lamba/) ## Take control of your DMARC reports Turn raw XML into actionable dashboards. Start free - no credit card required. [Start Free Trial](https://app.dmarcreport.com/) [Check Your DMARC Record](/tools/dmarc-checker/) ## Related Articles [ Foundational 4m What is a DMARC Policy, and How Does It Affect Sending My Emails? Jul 5, 2023 ](/blog/what-is-a-dmarc-policy-and-how-does-it-affect-sending-my-emails/)[ Foundational 5m 10 Reasons Why Your Website Needs A Robust DMARC Report Monitoring Tool Sep 29, 2023 ](/blog/10-reasons-why-your-website-needs-a-robust-dmarc-report-monitoring-tool/)[ Foundational 7m 4 sectors that need email authentication the most and why Oct 15, 2024 ](/blog/4-sectors-that-need-email-authentication-the-most-and-why/)[ Foundational 4m 7 DMARC Management Service Providers Besides Dmarcian Nov 7, 2023 ](/blog/7-dmarc-management-service-providers-besides-dmarcian/) ```json {"@context":"https://schema.org","@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com","logo":{"@type":"ImageObject","url":"https://dmarcreport.com/images/dmarcreport-logo.png"},"description":"DMARC reporting and email authentication management. Monitor aggregate and forensic DMARC reports, analyze authentication results, and enforce DMARC policies across all your domains.","parentOrganization":{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138883901","name":"DuoCircle LLC","url":"https://www.duocircle.com","sameAs":["https://www.wikidata.org/wiki/Q138883901","https://www.crunchbase.com/organization/duocircle-llc","https://www.linkedin.com/company/duocircle","https://github.com/duocircle"],"subOrganization":[{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897912","name":"Phish Protection","url":"https://www.phishprotection.com"}]},"sameAs":["https://www.wikidata.org/wiki/Q138898167","https://www.linkedin.com/company/duocircle","https://x.com/duocirclellc","https://www.g2.com/products/dmarc-report/reviews","https://github.com/duocircle","https://www.crunchbase.com/organization/duocircle-llc","https://www.trustradius.com/products/duocircle/reviews"],"aggregateRating":{"@type":"AggregateRating","ratingValue":"4.8","reviewCount":"470","bestRating":"5","worstRating":"1","url":"https://www.g2.com/products/dmarc-report/reviews"},"contactPoint":{"@type":"ContactPoint","contactType":"customer support","url":"https://dmarcreport.com/support/"},"knowsAbout":["DMARC","DMARC Reporting","DMARC Aggregate Reports","DMARC Forensic Reports","Sender Policy Framework","DKIM","Email Authentication","Email Security","DNS Management","Email Deliverability"]} ``` ```json {"@context":"https://schema.org","@type":"WebSite","name":"DMARC Report","url":"https://dmarcreport.com","description":"DMARC reporting and email authentication management. Monitor aggregate and forensic DMARC reports, analyze authentication results, and enforce DMARC policies across all your domains.","publisher":{"@type":"Organization","name":"DMARC Report","url":"https://dmarcreport.com","logo":{"@type":"ImageObject","url":"https://dmarcreport.com/images/dmarcreport-logo.png"},"description":"DMARC reporting and email authentication management. Monitor aggregate and forensic DMARC reports, analyze authentication results, and enforce DMARC policies across all your domains.","parentOrganization":{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138883901","name":"DuoCircle LLC","url":"https://www.duocircle.com","sameAs":["https://www.wikidata.org/wiki/Q138883901","https://www.crunchbase.com/organization/duocircle-llc","https://www.linkedin.com/company/duocircle","https://github.com/duocircle"],"subOrganization":[{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897912","name":"Phish Protection","url":"https://www.phishprotection.com"}]}}} ``` ```json [{"@context":"https://schema.org","@type":"BlogPosting","headline":"DMARC Policies Explained: How to Choose the Right Policy for Your Domain","description":"DMARC Policies Explained: How to Choose the Right Policy for Your Domain from DMARC Report explains practical steps for email authentication, domain.","url":"https://dmarcreport.com/blog/dmarc-policies-explained-how-to-choose-the-right-policy-for-your-domain/","datePublished":"2023-07-27T06:34:32.000Z","dateModified":"2026-04-16T15:53:43.000Z","dateCreated":"2023-07-27T06:34:32.000Z","author":{"@type":"Person","@id":"https://dmarcreport.com/authors/vishal-lamba/#person","name":"Vishal Lamba","url":"https://dmarcreport.com/authors/vishal-lamba/","jobTitle":"Content Specialist","description":"Vishal Lamba writes DMARC Report's how-to guides and vendor-specific configuration walkthroughs. His work focuses on step-by-step implementation guides for major email platforms (Google Workspace, Microsoft 365, SendGrid, Mimecast, Proofpoint, Brevo, and others), troubleshooting common SPF and DMARC errors, and translating RFC-level specifications into practical deployment procedures for IT administrators.","image":"https://media.mailhop.org/dmarcreport/images/team/vishal-lamba.jpg","knowsAbout":["SPF Vendor Configuration","Email Platform Integrations","SPF Troubleshooting","Technical Documentation","Step-by-Step Guides"],"worksFor":{"@type":"Organization","name":"DMARC Report","url":"https://dmarcreport.com"},"sameAs":["https://www.linkedin.com/in/vishal-lamba/"]},"publisher":{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com","logo":{"@type":"ImageObject","url":"https://dmarcreport.com/images/dmarcreport-logo.png"},"description":"DMARC reporting and email authentication management. Monitor aggregate and forensic DMARC reports, analyze authentication results, and enforce DMARC policies across all your domains.","parentOrganization":{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138883901","name":"DuoCircle LLC","url":"https://www.duocircle.com","sameAs":["https://www.wikidata.org/wiki/Q138883901","https://www.crunchbase.com/organization/duocircle-llc","https://www.linkedin.com/company/duocircle","https://github.com/duocircle"],"subOrganization":[{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897912","name":"Phish Protection","url":"https://www.phishprotection.com"}]},"sameAs":["https://www.wikidata.org/wiki/Q138898167","https://www.linkedin.com/company/duocircle","https://x.com/duocirclellc","https://www.g2.com/products/dmarc-report/reviews","https://github.com/duocircle","https://www.crunchbase.com/organization/duocircle-llc","https://www.trustradius.com/products/duocircle/reviews"],"aggregateRating":{"@type":"AggregateRating","ratingValue":"4.8","reviewCount":"470","bestRating":"5","worstRating":"1","url":"https://www.g2.com/products/dmarc-report/reviews"},"contactPoint":{"@type":"ContactPoint","contactType":"customer support","url":"https://dmarcreport.com/support/"},"knowsAbout":["DMARC","DMARC Reporting","DMARC Aggregate Reports","DMARC Forensic Reports","Sender Policy Framework","DKIM","Email Authentication","Email Security","DNS Management","Email Deliverability"]},"mainEntityOfPage":{"@type":"WebPage","@id":"https://dmarcreport.com/blog/dmarc-policies-explained-how-to-choose-the-right-policy-for-your-domain/"},"articleSection":"foundational","keywords":"dmarc record, dmarc record policy, email security","wordCount":801,"image":{"@type":"ImageObject","url":"https://media.mailhop.org/dmarcreport/images/2022/04/dmarc-record-6071.jpg","caption":"DMARC Policies Explained: How to Choose the Right Policy for Your Domain","width":900,"height":600},"speakable":{"@type":"SpeakableSpecification","cssSelector":[".answer-block","h1"]}}] ``` ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https://dmarcreport.com/"},{"@type":"ListItem","position":2,"name":"Blog","item":"https://dmarcreport.com/blog/"},{"@type":"ListItem","position":3,"name":"Foundational","item":"https://dmarcreport.com/foundational/"},{"@type":"ListItem","position":4,"name":"DMARC Policies Explained: How to Choose the Right Policy for Your Domain","item":"https://dmarcreport.com/blog/dmarc-policies-explained-how-to-choose-the-right-policy-for-your-domain/"}]} ```