DMARC p=none vs p=quarantine vs p=reject: what to use and when

The article explains the three DMARC policy options (p=none, p=quarantine, and p=reject) that control how receiving servers handle emails failing authentication from a domain. It recommends starting with p=none for monitoring, then progressing to p=reject once legitimate traffic is confirmed, as skipping directly to p=reject can accidentally block valid emails. The piece also notes that p=reject is the most secure option, used by major domains like Google and Microsoft to prevent spoofing.

If you have set up DMARC on your domain, you have probably seen the p= tag and wondered what each value actually does. The difference matters a lot. The wrong policy can mean your legitimate emails get rejected, or that spoofed emails from your domain land in inboxes without any consequence. Here is what each policy does and how to decide which one to use. DMARC tells receiving mail servers what to do when an email claiming to be from your domain fails authentication. An email fails DMARC when it fails both SPF and DKIM alignment checks. The p= tag sets the policy for those failures. v=DMARC1; p=none; rua=mailto:dmarc@yourdomain.com This is the monitoring policy. When a message fails DMARC, nothing happens to it — it gets delivered normally. But you receive aggregate reports via rua= showing you who is sending email from your domain and what is passing or failing. Use p=none when: p=none does not protect your domain from spoofing. Anyone can spoof your domain and the email will be delivered. The only benefit is visibility. v=DMARC1; p=reject; rua=mailto: Emails that fail DMARC are rejected outright. They do not arrive. The sending server gets a bounce. Use p=reject when: p=reject is the goal. It is what Google, Microsoft, and most large domains use. It is what blocks phishers from impersonating your brand. The standard path is: p=none and add an rua= address to receive reportsp=quarantine once you are confident in your legitimate trafficp=reject once you see no failures from legitimate sendersSkipping straight to p=reject without monitoring first is how organizations accidentally block their own transactional email. You can look up your current DMARC record and see exactly what policy you are running with InboxGreen's free DMARC checker. It will also flag any syntax issues and show you whether SPF and DKIM are passing alongside it. No login required.