What are the DMARC policies (p=none, p=quarantine, p=reject)?

Still have a question, spotted an error, or have a better explanation or a source we should cite?

The DMARC policy is what you tell receiving servers to do when a message fails DMARC alignment. There are three options, and they represent increasing levels of enforcement.

p=none . Monitor mode. Failing messages are delivered normally. No mail flow is affected. The policy's value is in the reports: mailbox providers send you daily aggregate data about who's sending from your domain and whether they're passing authentication. Almost every DMARC setup should start here. It lets you see all your legitimate sending sources before you enforce anything, so you don't accidentally block your own email.

p=quarantine . Failing messages are delivered but routed to spam. This is a meaningful level of enforcement. If someone is spoofing your domain, their messages will likely end up in junk instead of the inbox. It's a useful intermediate step when you've confirmed your legitimate sending is authenticating correctly but you're not ready to reject yet.

p=reject . The full enforcement level. Messages that fail DMARC are rejected at the mail server, before they reach the inbox. This is the goal for most domains that want real spoofing protection. It's also what Google and Yahoo now require for high-volume senders (they require a published DMARC record, not necessarily reject, but reject is where you want to end up).

The recommended progression: Start at p=none with reporting configured. Read your aggregate reports. Identify all your legitimate sending sources and confirm they're authenticating with aligned DKIM or SPF. Once you're confident everything legitimate is passing, move to p=quarantine, watch for a week or two, then move to p=reject.

And don\'t skip straight to p=reject without reading reports first. The most common mistake is rejecting before you've found all your legitimate sending sources, like a marketing automation platform you forgot about or a third-party tool your team added six months ago.

Use our free DMARC generator to create your initial record, and our DMARC implementation guide walks you through the full progression.

Contributors

Who worked on this answer

Every name links to their profile. Every company links to their site. Real people, real accountability.

Ask an AI · tailored to your setup

Get a step-by-step path to p=reject for your specific domain.

I read this on the Email Almanac about DMARC policies. My current DMARC record is: paste your record or describe it. I'm at p=none / p=quarantine / p=reject. I want to [describe: understand what my reports are showing / move to a stricter policy / troubleshoot why legitimate mail is failing DMARC]. What I want to understand: [describe e.g., "what I should look for in reports before moving to quarantine" or "why some of my own messages are failing DMARC despite having authentication set up"].

Edit the yellow boxes, then send to the AI of your choice.