Skip to main content
Skip table of contents

Understanding DMARC Policies

DMARC (Domain-based Message Authentication, Reporting, and Conformance) is an email authentication protocol that protects your domain from email spoofing, phishing, and other cyber threats. It extends SPF (Sender Policy Framework) and DKIM (DomainKeys Identified Mail) by allowing domain owners to specify how unauthenticated emails should be managed.  DMARC policies are configured in your DNS record using the 'p' tag, with three main options: p=none, p=quarantine, and p=reject.

Understanding DMARC Policies: p=none, p=quarantine, p=reject

What is DMARC?

DMARC (Domain-based Message Authentication, Reporting, and Conformance) is an email authentication protocol that helps protect your domain from being used in email spoofing, phishing scams, and other cybercrimes. DMARC builds on SPF (Sender Policy Framework) and DKIM (DomainKeys Identified Mail) to provide domain owners with a way to specify how unauthenticated emails should be handled.

DMARC Policy Options

The DMARC policy is defined in your DNS record using the p tag. There are three main policy options:

1. p=none

  • What it means:
    The p=none policy tells receiving mail servers to take no action on emails that fail DMARC checks. Instead, it only requests reports about these failures.

  • Use case:
    This is typically used during the initial DMARC deployment phase. It allows you to monitor email flows and identify legitimate sources that may need SPF/DKIM alignment, without impacting email delivery.

  • Effect on email:

    • No emails are blocked or quarantined, regardless of authentication results.

2. p=quarantine

  • What it means:
    The p=quarantine policy instructs receiving servers to treat emails that fail DMARC checks as suspicious. These emails are usually delivered to the recipient’s spam or junk folder.

  • Use case:
    Use this policy after you’ve reviewed DMARC reports and are confident that most legitimate sources are properly authenticated. It provides a moderate level of protection while still allowing potentially legitimate emails to reach users (albeit in spam).

  • Effect on email:

    • Failing emails are likely to be delivered to spam/junk folders.

3. p=reject

  • What it means:
    The p=reject policy tells receiving servers to outright reject emails that fail DMARC checks. These emails are not delivered to the recipient at all.

  • Use case:
    This is the most secure policy and should be used when you are confident that all legitimate email sources are DMARC-compliant. It provides maximum protection against spoofing.

  • Effect on email:

    • Failing emails are rejected and not delivered.

Transitioning Between DMARC Policies

  1. Start with p=none:
    Deploy DMARC with p=none to collect data and understand your email ecosystem. Review DMARC reports to identify all legitimate senders.

  2. Move to p=quarantine:
    Once you’ve addressed any authentication issues, change the policy to p=quarantine. Monitor for any legitimate emails being sent to spam and adjust SPF/DKIM as needed.

  3. Enforce with p=reject:
    After confirming that all legitimate sources are properly authenticated and no valid emails are being quarantined, switch to p=reject for maximum protection.

Summary Table

Policy

Action on Failing Emails

Recommended Use Case

p=none

No action (monitor only)

Initial deployment, monitoring

p=quarantine

Mark as spam/junk

Intermediate, moderate protection

p=reject

Reject (not delivered)

Full enforcement, maximum protection

Best Practices

  • Always monitor DMARC reports at each stage.

  • Gradually increase enforcement to avoid disrupting legitimate email.

  • Regularly review and update your SPF/DKIM records as your email ecosystem changes.

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.

Contact Support Close