DMARC p=none, quarantine, and reject Explained
Compare DMARC monitoring and enforcement policies, understand pct and subdomain behavior, and move toward reject without blocking legitimate mail.
The DMARC p tag tells receivers what to do when a message fails aligned SPF and aligned DKIM. p=none requests reporting only, p=quarantine asks receivers to treat failing mail as suspicious, and p=reject asks them not to accept it. Enforcement is strongest at reject, but should follow sender discovery and alignment work.
The three policies
p=none: collect aggregate reports and observe. It does not tell receivers to block spoofed mail.p=quarantine: request spam-folder or equivalent handling for failures.p=reject: request rejection during SMTP or otherwise prevent delivery.
A starting record might be:
v=DMARC1; p=none; rua=mailto:[email protected]
After reports show every legitimate platform passing aligned SPF or DKIM, move through enforcement:
v=DMARC1; p=quarantine; pct=25; rua=mailto:[email protected]
Then raise pct and finally use p=reject. The sp tag sets a separate subdomain policy; without it, subdomains inherit the organizational-domain policy. adkim=s and aspf=s require strict identifier alignment, while the default relaxed mode allows aligned subdomains.
Avoid the common rollout failure
DMARC passes when either DKIM or SPF passes and aligns with the visible From domain. A platform can report “SPF pass” using its own bounce domain and still fail DMARC alignment. Confirm using aggregate reports and representative messages rather than a vendor dashboard alone.
Keep the reporting mailbox working, watch for new legitimate sources, and treat an unexpected downgrade from reject to none as important configuration drift.
Reference
RFC 7489 defines the policy tags, identifier alignment, aggregate reporting, and receiver behavior. Receiver implementations retain discretion, so DMARC expresses a requested policy rather than an absolute delivery guarantee.
Run the checker below to read the published policy and identify missing or non-enforcing settings.
Check a domain for free
Audit email authentication, TLS, HSTS, and security headers. No signup required.
Checking the domain's records…