Your DMARC policy tells receiving email servers what to do when messages fail authentication. Understanding the difference between p=none, p=quarantine, and p=reject is crucial for implementing DMARC correctly.
This guide explains each policy level, when to use them, and how to safely progress to full enforcement.
The Three DMARC Policies
p=none (Monitor Only)
What it does: Emails are delivered normally regardless of authentication results.
Why use it:
- Starting point for all DMARC implementations
- Collects data without risking legitimate email
- Reveals all sources sending as your domain
- Identifies authentication issues before enforcement
Example record:
v=DMARC1; p=none; rua=mailto:dmarc@yourdomain.com
p=quarantine
What it does: Failing emails are sent to spam/junk folder instead of inbox.
Why use it:
- Provides protection while allowing recovery of false positives
- Recipients can still find legitimate emails in spam
- Good intermediate step before reject
- Satisfies many compliance requirements
Example record:
v=DMARC1; p=quarantine; rua=mailto:dmarc@yourdomain.com
p=reject
What it does: Failing emails are blocked entirely—not delivered at all.
Why use it:
- Maximum protection against domain spoofing
- Completely prevents unauthorized emails from reaching recipients
- Ultimate goal for most organizations
- Required by some security frameworks
Example record:
v=DMARC1; p=reject; rua=mailto:dmarc@yourdomain.com
Policy Comparison
| Aspect | p=none | p=quarantine | p=reject |
|---|---|---|---|
| Email delivery | Normal | To spam folder | Blocked |
| Protection level | None | Medium | Maximum |
| Risk of blocking legitimate email | None | Low (recoverable) | High if misconfigured |
| Best for | Starting out | After monitoring | Full enforcement |
| Reports generated | Yes | Yes | Yes |
The Percentage Tag (pct=)
The pct tag lets you apply policy to only a percentage of failing emails:
v=DMARC1; p=quarantine; pct=10; rua=mailto:dmarc@yourdomain.com
This applies quarantine to only 10% of failing emails—the other 90% are delivered normally (as if p=none).
Why Use pct
- Gradual rollout reduces risk
- Test enforcement on small percentage first
- Catch problems before they affect all email
Recommended Progression
-
pct=10– Test with 10% -
pct=25– Increase if no issues -
pct=50– Half of failing emails -
pct=100– Full enforcement (or remove pct, as 100 is default)
The Subdomain Policy (sp=)
The sp tag sets policy for subdomains (mail.domain.com, app.domain.com, etc.):
v=DMARC1; p=quarantine; sp=reject; rua=mailto:dmarc@yourdomain.com
Why Subdomain Policy Matters
- Attackers often target subdomains that don't send email
- You may want stricter policy on unused subdomains
- Without sp=, subdomains inherit the main domain policy
Common Strategy
Use sp=reject for subdomains that don't send email, even if your main domain is at p=quarantine.
Safe Policy Progression
Phase 1: Monitor (2-4 weeks minimum)
v=DMARC1; p=none; rua=mailto:dmarc@yourdomain.com
- Collect aggregate reports
- Identify all legitimate sending sources
- Fix SPF and DKIM issues
- Ensure all services pass authentication
Phase 2: Gradual Quarantine (2-4 weeks)
Start: v=DMARC1; p=quarantine; pct=10; rua=mailto:dmarc@yourdomain.com
- Monitor for delivery complaints
- Check reports for unexpected failures
- Gradually increase pct (10 → 25 → 50 → 100)
Phase 3: Full Quarantine (1-2 weeks)
v=DMARC1; p=quarantine; rua=mailto:dmarc@yourdomain.com
- All failing emails go to spam
- Verify no legitimate email is affected
- Monitor reports and complaints
Phase 4: Reject (Final)
v=DMARC1; p=reject; sp=reject; rua=mailto:dmarc@yourdomain.com
- Maximum protection achieved
- Continue monitoring reports
- Update when adding new email services
What If Legitimate Email Gets Blocked?
At p=quarantine
- Emails go to spam—users can still find them
- Ask users to check spam folder
- Identify the failing service from DMARC reports
- Fix authentication before proceeding to reject
At p=reject
- Emails are blocked—no recovery
- Users won't receive them at all
- You may not know immediately
- This is why gradual progression is critical
Recovery Steps
- Temporarily lower policy (p=quarantine or p=none)
- Identify the failing service from reports
- Fix SPF/DKIM/alignment for that service
- Verify fixes in reports
- Re-increase enforcement
Common Scenarios
Just Starting Out
Use p=none with reporting. Never start with quarantine or reject.
Meeting Google/Yahoo Requirements
p=none satisfies the current minimum requirement, but stricter policies may be required in the future.
Security-Focused Organization
Progress to p=reject for maximum protection. Consider strict alignment (adkim=s; aspf=s).
Multiple Subdomains
Use sp=reject for subdomains that don't send email:
v=DMARC1; p=quarantine; sp=reject; rua=mailto:dmarc@yourdomain.com
Policy and Email Deliverability
Having a DMARC policy (even p=none) signals to receiving servers that you care about email authentication. Stronger policies can improve deliverability for legitimate email:
- p=none: Shows you're monitoring
- p=quarantine: Shows you're actively protecting
- p=reject: Shows maximum commitment to authenticity
Summary
- p=none: Start here. Monitor and collect data.
- p=quarantine: Second step. Failed emails go to spam.
- p=reject: Final goal. Failed emails are blocked.
- pct=: Gradual rollout of policy.
- sp=: Separate policy for subdomains.
Progress slowly, monitor reports, and fix issues before increasing enforcement. The goal is protection without blocking legitimate email.
For implementation details, see our DMARC setup guide and complete authentication guide.
0 comments