Understanding DMARC Policies
A DMARC policy tells receiving mail servers what to do with emails that fail SPF and DKIM authentication. Choosing the right policy is crucial for balancing email security with deliverability. Your DMARC policy is set using the p= tag in your DMARC DNS record.
The Three DMARC Policy Levels
Policy: None (p=none)
The monitoring-only policy. Emails that fail authentication are delivered normally.
Use when:
- First implementing DMARC on your domain
- Gathering data about your email ecosystem
- You don't yet know all your legitimate sending sources
Benefits:
- No risk of blocking legitimate email
- Provides visibility through aggregate reports
- Safe starting point for any organization
Limitations:
- Provides no protection against email spoofing
- Bad actors can still impersonate your domain
Policy: Quarantine (p=quarantine)
A moderate enforcement policy. Emails that fail authentication are marked as suspicious.
What happens:
- Emails typically go to the recipient's spam/junk folder
- Some email clients may show a warning to the recipient
- Emails aren't outright blocked — they're still accessible if needed
Use when:
- You've identified most legitimate sending sources
- Ready to add protection but want a safety net
- Transitioning toward full DMARC enforcement
Policy: Reject (p=reject)
The strongest DMARC policy. Emails that fail authentication are blocked entirely.
What happens:
- Failing emails are rejected by receiving servers
- They won't reach the inbox or spam folder
- Senders may receive bounce notifications
Use when:
- All legitimate sources are identified and authenticated
- You're confident in your SPF and DKIM configuration
- Maximum protection against spoofing is required
Risks:
- Legitimate emails can be blocked if SPF or DKIM is misconfigured
- Harder to recover from mistakes — blocked email is gone
DMARC Record Components
A complete DMARC record includes several tags:
v=DMARC1; p=quarantine; sp=none; pct=100; rua=mailto:dmarc@example.com; ruf=mailto:forensics@example.com; adkim=r; aspf=r
Policy Tags
| Tag | Purpose | Values |
|---|---|---|
p= |
Policy for your domain | none, quarantine, reject |
sp= |
Policy for subdomains | none, quarantine, reject |
pct= |
Percentage of mail to apply policy | 1–100 |
Reporting Tags
| Tag | Purpose |
|---|---|
rua= |
Where to send aggregate reports |
ruf= |
Where to send forensic (failure) reports |
Alignment Tags
| Tag | Purpose | Values |
|---|---|---|
adkim= |
DKIM alignment mode | s (strict), r (relaxed) |
aspf= |
SPF alignment mode | s (strict), r (relaxed) |
Using the Percentage Tag (pct) for Gradual Rollout
The pct tag lets you gradually roll out a stricter policy:
pct=10— Apply policy to 10% of failing emailspct=50— Apply policy to 50% of failing emailspct=100— Apply policy to all failing emails (default)
This is invaluable for:
- Testing stricter policies safely before full enforcement
- Catching misconfiguration issues with limited impact
- Building confidence before committing to reject
Recommended DMARC Enforcement Journey
Phase 1: Monitor
v=DMARC1; p=none; rua=mailto:dmarc-reports@example.com
Duration: 2–4 weeks minimum. Collect reports and identify all legitimate senders.
Phase 2: Quarantine (Gradual)
v=DMARC1; p=quarantine; pct=10; rua=mailto:dmarc-reports@example.com
Increase pct gradually: 10% → 25% → 50% → 100%
Phase 3: Reject (Gradual)
v=DMARC1; p=reject; pct=10; rua=mailto:dmarc-reports@example.com
Increase pct gradually: 10% → 25% → 50% → 100%
Phase 4: Full Protection
v=DMARC1; p=reject; rua=mailto:dmarc-reports@example.com
When to Advance Your DMARC Policy
You're ready to move to a stricter policy when:
- Compliance rates are consistently high (95%+)
- All legitimate sending sources are identified and authenticated
- SPF and DKIM are passing consistently over time
- No unexpected sending patterns appear in your reports
Next Steps
- Understand alignment modes and how they affect policy enforcement
- Learn the basics of SPF and DKIM
- Check your current DMARC policy with our free DMARC Checker