Domainee
Sign inGet started

DMARC policy

The DMARC policy tag tells receivers what to do with failing mail: do nothing, quarantine to spam, or reject outright. Most domains never make it past 'none'.

The DMARC policy is the p= value in your DMARC TXT record. It controls how mail receivers should treat messages that fail DMARC checks (where SPF and DKIM both don't pass alignment).

v=DMARC1; p=reject; rua=mailto:reports@example.com

The policy options are:

  • p=none — log to reports, don't take action. Surveillance mode.
  • p=quarantine — receivers route to spam/junk on failure.
  • p=reject — receivers refuse delivery entirely.

The "policy of none" problem

The dirty secret of DMARC: most domains stop at p=none and never go further. They get the reports, the reports look noisy and confusing, deploying enforcement seems risky, and the project dies. The result is that DMARC p=none provides almost no protection against spoofing. Spoofed mail still lands in the inbox.

To get real protection you have to move from none to quarantine to reject. Each step shrinks the spoofing surface.

The recommended ramp

  1. Week 1. Publish p=none with rua= reports going to a parser.
  2. Weeks 2-4. Watch reports. Identify every legitimate sender of your domain (Mailchimp, Customer.io, your transactional ESP, your CRM, your support tool). Get SPF and DKIM passing alignment for each.
  3. Week 5. Move to p=quarantine; pct=10 — quarantine 10% of failures.
  4. Week 6. p=quarantine; pct=50.
  5. Week 7. p=quarantine; pct=100.
  6. Week 8. p=reject; pct=10.
  7. Week 9. p=reject; pct=50.
  8. Week 10. p=reject; pct=100. Done.

The ramp takes 2-3 months in practice because new sender discovery keeps revealing more aligned/unaligned mail streams.

Subdomain policy: sp=

If you have subdomains that send mail differently from the parent, use sp= to set a separate policy:

v=DMARC1; p=reject; sp=quarantine; rua=...

By default subdomains inherit the parent policy.

When p=reject is mandatory

  • BIMI requires p=quarantine or p=reject (not none).
  • Gmail and Yahoo's bulk-sender rules (effective Feb 2024) require p=quarantine or p=reject if you send more than 5,000 messages/day to their users.
  • Brand protection in regulated industries usually demands p=reject.

Want this handled for you? Start free with Domainee — 50 custom domains + 100 GB bandwidth, no card.