What is DMARC Policy? : None, Quarantine & Reject
A DMARC policy essentially enables a domain owner to specify what to do when an email fails DMARC authentication, that is, when it fails to produce an aligned SPF or DKIM pass (whether to quarantine or reject it). The DMARC DNS record also specifies how the recipient can report back to the domain owner when an email fails authentication.
DMARC Policy Modes: None, Quarantine & Reject
A DMARC policy can be set to none, quarantine, or reject, depending on the level of DMARC enforcement you want to opt for. Here, p is the parameter that specifies the DMARC policy. If a record is otherwise valid but has no p tag, receivers treat it as p=none.
A none policy (p=none) is relaxed and provides zero enforcement, as every email received by the recipient's email server lands in their inbox, whether or not it fails authentication.
The quarantine policy (p=quarantine) provides enforcement, as the domain owner can prompt the receiver to route failing emails into the spam folder when the message fails DMARC authentication.
Finally, the reject policy (p=reject) ensures that all emails failing authentication are not delivered to the receiver's inbox, providing the strictest enforcement.
Which DMARC policy should you use and why?
The DMARC policy you use depends on the level of enforcement you desire and the purpose your policy will serve. It is worth noting that RFC 9989 updated the guidance here. After more than a decade of deployment, the spec recognises that indirect mail flows such as mailing lists and forwarding routinely break SPF and DKIM alignment, so it no longer treats p=reject as the universal end goal for every domain. Here are a few ways you can leverage your DMARC policy:
To monitor your email channels
If you simply want to monitor your email channels, a DMARC policy at p=none is enough. This policy will not, however, protect you against cyberattacks.
To protect against phishing and spoofing attacks
If you want to protect your emails against phishing and direct-domain spoofing, you need an enforced policy. For transactional or marketing domains that never have humans posting from them (for example, notification or receipt senders),p=reject provides the highest level of enforcement and effectively minimises impersonation attacks. For domains that host employee or customer mailboxes, where a person might post to an external mailing list, RFC 9989 recommends p=quarantine as the end state rather than p=reject, to avoid breaking legitimate indirect mail.
To review suspicious emails before they are delivered
If you don't want to outright block unauthorized emails, but instead allow your receivers to review failing emails in their quarantine folder, a DMARC quarantine policy is your best bet.
Which DMARC policy prevents spoofing?
Both quarantine and reject provide enforcement against direct-domain spoofing, since both keep unauthenticated mail out of the inbox. A reject policy is the strictest, blocking unauthorized emails from reaching the receiver's inbox entirely, so the recipient never accepts, opens, or reads them. Quarantine is the spec's recommended end state for domains with human mailboxes, as it provides strong protection while leaving room to catch legitimate mail broken by forwarding.
Common errors with DMARC policies & how to fix them
Syntax Errors
You should be wary of any syntax errors while setting up your record to make sure the protocol functions correctly.
Configuration Errors
Errors while configuring the DMARC policy are common and can be avoided by using a DMARC lookup tool.
Subdomain policies (sp and np)
If you configure a DMARC reject policy on your organizational domain but set your subdomain policy (sp) to none, you will not achieve enforcement on mail from your existing subdomains. RFC 9989 also added the np tag, which sets the policy for non-existent subdomains. For subdomains that never send mail, applying sp=reject and np=reject on the parent domain closes a common subdomain spoofing gap.
The journey from DMARC None to DMARC Reject
To shift to an enforced DMARC policy, you need to make sure of the following:
- That your record is valid and properly set up
- That you are not facing deliverability issues on legitimate emails
Keep in mind that for many domains, enforcement may mean reaching p=quarantine rather than p=reject, depending on whether the domain carries indirect mail flows.
Why do you need a DMARC Policy?
A DMARC policy can protect against a wide range of email-based attacks at your organization. Email is the easiest way to use your brand for fraud. By using your domain and impersonating your brand, attackers can send malicious phishing emails to your own employees and customers. Not only does this compromise security in your organization, it can seriously harm your brand reputation.
An enforced DMARC policy at an organization helps:
- Protect the brand image and reputation
- Prevent the loss of confidential data
- Prevent financial losses
- Enhance email deliverability rate
- Enhance the brand's reliability among its partners and customer base
- Avoid legal risks
What is SPF? Free2 m
Video Introduction to SPF Free1 m 41 s- A Brief History of SPF Free1 m
- How does SPF work? Free2 m
- SPF Tags: Syntax of an SPF Record Free3 m
- SPF Null Value Explained Free3 m
- SPF Neutral Mechanism Explained Free4 m
- How to create and publish SPF records? Free2 m
- SPF Authentication Failures Free3 m
- Video Explanation: SPF PermError Free1 m 39 s
Quiz 430 m
- What is DMARC? Free1 m
- Video Introduction to DMARC Free1 m 15 s
- A Brief History of DMARC Free1 m
- How does DMARC work? Free2 m
- What is DMARC Policy? : None, Quarantine & Reject Free2 m
- Video Explanation: DMARC Policy Free1 m 40 s
- DMARC Tags Free4 m
- DMARC Aggregate (RUA) Reports Free3 m
- DMARC Failure (RUF) Reports Free2 m
- How to Create and Publish a DMARC Record? Free3 m
- DMARC Authentication Failures Free3 m
- Video Explanation: Why does DMARC Fail? Free1 m 37 s
- Quiz 630 m