Skip to main content
New AI-powered DMARC analysis + open REST API See how →
DMARC Policies

Choose the right DMARC policy
for your domain

The DMARC policy (p= tag) tells receiving mail servers what to do with messages that fail DMARC authentication. There are three options — none, quarantine, and reject — and every domain should follow the same path from monitoring to full enforcement.

Per RFC 7489, the policy applies only when BOTH SPF alignment and DKIM alignment fail. If either one passes and aligns, the message passes DMARC regardless of the policy.

Check Your DMARC Policy See the Timeline
The Three Policies

none, quarantine, reject

Each policy is a step on the enforcement journey. Start with visibility, build confidence, then enforce.

p=none Monitor Only

See everything. Block nothing.

Receiving mail servers take no enforcement action on messages that fail DMARC. They still send aggregate reports back to the domain owner, providing full visibility into every source sending email from the domain.

Example Record
v=DMARC1; p=none; rua=mailto:dmarc@example.com
Advantages
  • Zero risk to legitimate email delivery
  • Full visibility into all sending sources via aggregate reports
  • Required first step — you must monitor before enforcing
  • Satisfies Google/Yahoo minimum requirement for bulk senders
Limitations
  • Provides no protection against spoofing or phishing
  • Attackers can still send email as your domain and it will be delivered
  • Does not improve domain reputation with receivers
When to use

Always start here. Deploy p=none with rua= reporting and monitor for at least 90 days. Use this phase to identify every legitimate sender, fix their SPF/DKIM configuration, and confirm alignment before moving to enforcement.

What happens to a failing email
1

Email fails SPF + DKIM alignment

2

Receiver checks DMARC policy: p=none

3

Email delivered normally to inbox

4

Aggregate report sent to domain owner

p=quarantine Route to Spam

Suspicious mail goes to spam. Legitimate mail keeps flowing.

Messages that fail DMARC are routed to the recipient's spam or junk folder. The message still exists — recipients can find it if they look — but it is clearly flagged as suspicious. This is the safety-net enforcement step.

Example Record
v=DMARC1; p=quarantine; rua=mailto:dmarc@example.com
Advantages
  • Active protection — spoofed messages leave the inbox
  • Safety net for misconfigured senders (messages are not lost)
  • Signals to receivers that you take email security seriously
  • Good middle ground during the enforcement transition
Limitations
  • Legitimate senders with broken authentication land in spam
  • Recipients may not check spam folders, causing missed emails
  • Some receivers treat quarantine as reject in practice
When to use

After 90+ days at p=none with all legitimate senders identified and passing authentication. Move here only when your aggregate reports show consistent SPF/DKIM alignment for every authorized source.

What happens to a failing email
1

Email fails SPF + DKIM alignment

2

Receiver checks DMARC policy: p=quarantine

3

Email routed to spam/junk folder

4

Aggregate report sent to domain owner

p=reject Block Entirely

Full enforcement. Spoofed mail never arrives.

Messages that fail DMARC are rejected at the SMTP level — the recipient never sees them and the sending server receives a bounce. This is the strongest protection and the ultimate goal for every domain.

Example Record
v=DMARC1; p=reject; rua=mailto:dmarc@example.com
Advantages
  • Maximum protection against domain spoofing and phishing
  • Attackers cannot deliver email impersonating your domain
  • Highest domain reputation signal to receiving mail servers
  • Qualifies for BIMI (Brand Indicators for Message Identification)
Limitations
  • Misconfigured legitimate senders are blocked completely — not even spam
  • Email forwarding chains that break alignment will fail
  • Requires thorough monitoring before deployment
When to use

After 90+ days at p=quarantine with clean aggregate reports. All legitimate senders must consistently pass SPF or DKIM alignment. The full journey from p=none to p=reject typically takes 9 to 18 months.

What happens to a failing email
1

Email fails SPF + DKIM alignment

2

Receiver checks DMARC policy: p=reject

3

Email rejected at SMTP — never delivered

4

Aggregate report sent to domain owner

The Journey

The path to full enforcement

Every domain follows the same progression. The timeline depends on complexity — more senders means more time to configure. Plan for 9 to 18 months from first record to full p=reject.

p=none

Phase 1: Monitor

90+ days minimum

Publish DMARC record with p=none and rua= reporting. Analyze aggregate reports to identify every source sending email from your domain. Fix SPF and DKIM for all legitimate senders.

p=quarantine

Phase 2: Quarantine

90+ days minimum

Move to p=quarantine. Start with pct=10 and gradually increase. Monitor reports for any newly affected senders. Fix remaining authentication issues.

p=reject

Phase 3: Reject

Ongoing

Advance to p=reject with full confidence that all legitimate email passes. Continue monitoring — new senders, IP changes, and vendor updates can break authentication at any time.

Total timeline: 9-18 months

Organizations with few senders may reach p=reject faster. Complex environments with dozens of third-party services take longer. The key is data-driven decisions — never skip monitoring phases.

Gradual Rollout

The pct= tag:
enforcement with a safety net

The pct= tag controls what percentage of failing messages receive the enforcement action. Messages outside the percentage are treated as if the policy were p=none. This lets you gradually roll out enforcement while monitoring for problems.

Example
v=DMARC1; p=quarantine; pct=25; rua=mailto:dmarc@example.com

25% of failing messages are quarantined. The remaining 75% are delivered normally.

pct=10

Apply enforcement to 10% of failing messages. The remaining 90% are treated as p=none. Good for initial testing.

2-4 weeks
pct=25

Increase to 25%. Monitor aggregate reports for any newly affected legitimate senders.

2-4 weeks
pct=50

Half of failing messages now get the enforcement action. Most issues are surfaced by this stage.

2-4 weeks
pct=100

Full enforcement. All messages that fail DMARC alignment receive the published policy action. This is the default when pct= is not specified.

Permanent
DNS TXT Records
_dmarc.example.com
v=DMARC1; p=reject; sp=quarantine; rua=...
example.com
p=reject
*.example.com
sp=quarantine

Main domain is fully enforced. Subdomains are quarantined while being configured.

Subdomain Policy

The sp= tag: subdomain control

The sp= tag sets a separate DMARC policy for subdomains. Without it, subdomains inherit the main domain's p= policy. This is useful when your main domain is ready for enforcement but subdomains need more time.

  • sp=none — subdomains are monitored while being configured
  • sp=quarantine — subdomains get intermediate enforcement
  • sp=reject — subdomains are fully enforced (same as no sp= when p=reject)
  • Omitting sp= — subdomains inherit the p= policy
Avoid These

Common DMARC policy mistakes

These are the errors we see most often in DMARC deployments. Every one of them is preventable with proper monitoring and a phased approach.

Enforcing too fast

Jumping to p=reject without at least 90 days at p=none causes legitimate email to be blocked. Marketing platforms, CRM tools, and ticketing systems often fail DMARC if not properly configured.

No monitoring after enforcement

DMARC is not set-and-forget. New sending sources, IP changes, and vendor updates can break authentication at any time. Continuous monitoring catches problems before they affect delivery.

Ignoring third-party senders

Every service that sends email on your behalf — Mailchimp, HubSpot, Salesforce, Zendesk — must have SPF includes or DKIM signing configured. Missing even one causes failures at enforcement.

Forgetting subdomains

Without an sp= tag, subdomains inherit the main domain policy. But if you enforce p=reject without checking subdomain senders, you may block legitimate subdomain email. Set sp= explicitly.

Publishing without rua=

A DMARC record without rua= reporting is flying blind. You have no visibility into authentication results, no way to detect spoofing, and no data to make enforcement decisions.

Using relaxed alignment when strict is needed

Relaxed alignment (default) lets mail.example.com align with example.com. For most organizations this is correct, but high-security domains may need strict alignment to prevent subdomain abuse.

FAQ

DMARC policy questions

What is the best DMARC policy?

The best DMARC policy is p=reject, which provides maximum protection against domain spoofing. However, you must reach p=reject through a phased approach: start at p=none (monitor for 90+ days), move to p=quarantine (90+ days), then enforce p=reject. Jumping directly to reject causes legitimate email to be blocked.

How long should I stay at p=none before enforcing?

Stay at p=none for a minimum of 90 days — one full quarter. This gives you enough aggregate report data to identify all legitimate sending sources and fix their authentication. Some organizations with many third-party senders may need longer. The full journey to p=reject typically takes 9 to 18 months.

Does p=quarantine provide enough protection?

Quarantine is a meaningful step up from p=none because spoofed messages no longer reach the inbox. However, they still exist in the spam folder. For full protection, p=reject is the goal — it prevents spoofed messages from being delivered at all. Some compliance frameworks (like PCI DSS v4.0) specifically require p=reject.

What happens if I set p=reject and a legitimate sender fails?

The legitimate sender's email will be rejected — the recipient will not receive it. This is why monitoring at p=none and p=quarantine is essential before enforcing. Use the pct= tag to gradually roll out enforcement (pct=10 to start) so you can catch misconfigurations before they affect all email.

Can I have different policies for my domain and subdomains?

Yes. The sp= (subdomain policy) tag lets you set a separate policy for subdomains. For example, you might enforce p=reject on your main domain while keeping sp=none on subdomains that are still being configured. If sp= is not set, subdomains inherit the main domain's policy.

What is the pct= tag and how should I use it?

The pct= tag controls what percentage of failing messages receive the enforcement action. At pct=10, only 10% of failing messages are quarantined or rejected — the rest are treated as p=none. Gradually increase from 10 to 25 to 50 to 100 over several weeks to safely transition to full enforcement.

See your current DMARC policy in action

Free trial — monitor aggregate reports, identify senders, and plan your enforcement journey.

Start Free Trial

Teams Trust DMARC Report for Enforcement

G2 Leader — DMARC

Rated 4.8/5 on G2 · 469 verified reviews

G2 Momentum Leader — DMARC
ZK

Zunaid K.

Director

5/5

"Essential tool for email delivery"

This tool helps us to implement DMARC reporting for our domains in an easy to use manner.

8/8/2024 Verified on G2
VU

Verified User in Information Technology and Services

5/5

"Best security tool for your own domains"

The weekly reports help me a lot to analyze quickly the emails sent from my domains and that gives me peace of mind.

8/31/2022 Verified on G2
LH

Larry H.

Research & Development Manager

5/5

"Good tool to buy"

I have used many tools for monitoring DMARC reports. But DMARC Report is a good tool to use. It helps avoid sending emails to spam.

8/30/2022 Verified on G2
Read all 469 reviews on G2 →