What DMARC Policy Should I Use?

DMARC offers three policies that determine what happens when email fails authentication. Choosing the right policy depends on where you are in your email authentication journey. This guide explains each policy and provides a roadmap for safe implementation.

The Three DMARC Policies

p=none (Monitor Only)

v=DMARC1; p=none; rua=mailto:[email protected]

With p=none, receivers take no action on failing emails. They deliver messages regardless of authentication results but send you reports about authentication outcomes.

Use p=none when:

• You are first implementing DMARC
• You are unsure if all sending sources pass authentication
• You need to gather data before enforcement

Important: p=none satisfies Gmail and Yahoo's minimum DMARC requirement for bulk senders.

p=quarantine (Mark as Suspicious)

v=DMARC1; p=quarantine; rua=mailto:[email protected]

With p=quarantine, receivers treat failing emails as suspicious. Most deliver them to spam folders rather than the inbox.

Use p=quarantine when:

• Your DMARC reports show all legitimate email passing
• You want enforcement but are not ready to reject outright
• You are transitioning from p=none to p=reject

p=reject (Block Completely)

v=DMARC1; p=reject; rua=mailto:[email protected]

With p=reject, receivers should refuse delivery of failing emails entirely. The message never reaches the recipient.

Use p=reject when:

• You have confirmed all legitimate email passes DMARC
• You want maximum protection against domain spoofing
• Your domain is frequently targeted by phishing attacks

The Safe Path to p=reject

Rushing to p=reject without proper preparation blocks legitimate email. Follow this proven progression:

Phase 1: Monitor (2-4 weeks)

1. Publish v=DMARC1; p=none; rua=mailto:[email protected]
2. Collect and analyze aggregate reports
3. Identify all sources sending email as your domain
4. Fix SPF and DKIM for any legitimate sources that fail

Phase 2: Quarantine Gradually (2-4 weeks)

1. Move to p=quarantine; pct=10 (affects 10% of failing mail)
2. Monitor for delivery problems
3. Increase pct to 25, then 50, then 100
4. Continue monitoring reports for failures

Phase 3: Reject (ongoing)

1. Move to p=reject; pct=10
2. Gradually increase to pct=100
3. Continue monitoring reports
4. Maintain SPF/DKIM for all sending sources

What About Subdomains?

By default, subdomains inherit the main domain's DMARC policy. Use the sp= tag to set a different policy for subdomains:

v=DMARC1; p=reject; sp=quarantine; rua=mailto:[email protected]

This applies p=reject to the main domain but p=quarantine to all subdomains.

Alternatively, publish separate DMARC records at specific subdomains that need different treatment.

Factors to Consider

Email Complexity

Organizations with many email sending sources (marketing, transactional, support, etc.) need more time in each phase to ensure everything is properly authenticated.

Spoofing Risk

High-profile brands and financial institutions face more spoofing attempts. Faster progression to p=reject provides better protection, but only after authentication is solid.

Email Forwarding

If many of your recipients forward email (common in organizations with mailing lists or forwarding addresses), p=reject may cause legitimate mail to be blocked. Monitor forwarding failures in your DMARC reports.

Common Mistakes

Jumping to p=reject

Implementing p=reject without proper testing blocks legitimate email. Always start with p=none and progress gradually.

Ignoring Reports

DMARC reports tell you what is failing. Without reviewing them, you cannot know if legitimate email is affected.

Forgetting Subdomains

Without an sp= tag or subdomain-specific records, subdomains inherit your main policy. Attackers often spoof unprotected subdomains.

Never Moving Beyond p=none

p=none provides no protection against spoofing. It only monitors. To actually protect your domain, you must eventually move to p=quarantine or p=reject.