Not quite sure what DMARC policy options actually do? You’re not alone. Most companies set up DMARC but miss the most important part: DMARC enforcement.
We see this all the time. You’ve got a DMARC record publishing proudly on your domain, but it’s sitting at p=none, which is the equivalent of hiring a security guard who just writes down names of trespassers without actually stopping them.
TL;DR: DMARC policy options give you three choices:
- Do nothing (p=none)
- Send suspicious emails to spam (p=quarantine)
- Block them completely (p=reject)
However, only the last two actually give you DMARC enforcement.
Without enforcement, you’re just collecting data while watching impersonators use your domain freely. That fancy DMARC setup is basically worthless if you don’t take it all the way.
Below, we’ll walk you through all your DMARC policy options and show you exactly how to achieve DMARC enforcement.
What is a DMARC policy?
Most DMARC policy guides skip the most important part: enforcement. They’ll walk you through setting up DMARC but leave you hanging right before the finish line.
DMARC (Domain-based Message Authentication, Reporting, and Conformance) isn’t just about monitoring email traffic. Its real power lies in the policy options that let you control what happens to messages that fail authentication.
When you implement DMARC with enforcement, you’re taking control. You can tell email providers to either quarantine suspicious messages (send them straight to spam) or reject them entirely. This is how you actually stop impersonators from using your domain.
Without enforcement, you’re just a spectator. Sure, you’ll get reports showing who’s spoofing your domain, but you’re basically watching cybercriminals use your identity while doing nothing to stop them.
What are the DMARC policy options?
Unlike SPF or DKIM, which leave it up to the receivers (mail gateways and servers) to decide how to handle authentication failures, DMARC actually lets the domain owners specify what they want to happen.
In the simplest configurations, the DMARC policy is spelled out with the “p” parameter, for which there are three options:
- p=none — No enforcement; mail that fails authentication is delivered normally.
- p=quarantine — Messages that fail authentication should be quarantined. Usually, this means that the messages are delivered to a user’s spam folder.
- p=reject — Messages that fail authentication should be discarded, not delivered at all. Some receivers honor this request, while others just mark failing messages as spam.
Note that p=none, or “monitor mode,” provides no enforcement. Fraudulent messages using your domain will still be delivered. This setting is intended as a “test” mode so that domain owners can troubleshoot their authentication settings without the risk of legitimate messages getting blocked.
In p=none mode, domain owners can use the reports sent by mail gateways to examine what messages are being blocked and which IP addresses are sending those messages. (turning DMARC reports into actionable insights is a challenge all its own).
Armed with that information, the domain owner can then make changes to their SPF and/or DKIM settings and potentially to the domain(s) being used by the messages, to ensure that legitimate messages authenticate.
How to choose the right DMARC enforcement policy
Choosing the right DMARC policy depends on your domain’s email ecosystem and your readiness to enforce email authentication.
Here’s how to decide:
| Policy | Best for | What it does | Risk level | Enforcement? |
|---|---|---|---|---|
| p=none | Monitoring only | Gathers DMARC reports, takes no action | High (no protection) | No |
| p=quarantine | Mid-stage enforcement | Sends suspicious mail to spam | Medium | Yes |
| p=reject | Full enforcement | Blocks unauthorized messages | Low | Yes |
Pro tip: Use p=none to identify legit senders, then move to p=quarantine and finally p=reject once you’ve aligned SPF and DKIM across your ecosystem.
Check your DMARC policy here for free with Valimail’s DMARC checker:
Check your
domain now
Enter your domain to see if it’s vulnerable to spoofing or if others are sending emails on your behalf. Instantly check your DMARC, SPF, and BIMI status with a detailed security report.
You’re not fully protected, learn more here.
Check your
domain now
Enter your domain to see if it’s vulnerable to spoofing or if others are sending emails on your behalf. Instantly check your DMARC, SPF, and BIMI status with a detailed security report.
You’re not fully protected, learn more here.
Check your
domain now
Enter your domain to see if it’s vulnerable to spoofing or if others are sending emails on your behalf. Instantly check your DMARC, SPF, and BIMI status with a detailed security report.
You’re not fully protected, learn more here.
Your Domain
Not protected AGAINST IMPERSONATION ATTACKS
DMARC NOT AT ENFORCEMENT
exampledomain1.com
Authentication Status for January 10, 2025
DMARC at Enforcement
SPF Record Configured
BIMI Ready
exampledomain1.com
Authentication Status for January 10, 2025
DMARC at Enforcement
SPF Record Configured
BIMI Ready
DMARC policy examples and configuration tips
Here are examples of real-world DMARC policy configurations:
Basic monitoring-only DMARC policy
Use this when you’re just starting with DMARC and want to observe without affecting mail flow.
v=DMARC1; p=none; rua=mailto:dmarc-reports@example.com- What it does: Allows all messages, even unauthenticated ones, to be delivered.
- Use case: Ideal for collecting DMARC reports and identifying legitimate sources that may need SPF/DKIM alignment before enforcing.
- Limitation: Offers no protection—phishing and spoofing can still occur freely.
Quarantine suspicious messages
This is an intermediate policy level that tells receivers to be cautious with unauthenticated emails.
v=DMARC1; p=quarantine; rua=mailto:dmarc-reports@example.com- What it does: Suggests that email providers place failed messages in the recipient’s spam/junk folder.
- Use case: Good transition phase while moving toward full enforcement.
- Caution: Some legitimate emails may end up in spam if alignment isn’t fully configured.
Full enforcement, reject all unauthorized mail
This is the strongest level of protection, telling mail servers to block all unauthenticated messages.
v=DMARC1; p=reject; rua=mailto:dmarc-reports@example.com- What it does: Instructs receivers to reject messages that fail DMARC checks.
- Use case: Best for mature configurations where all sending services are properly authenticated.
- Benefit: Offers maximum protection against domain spoofing and impersonation.
Why DMARC enforcement matters
If your goal is to stop phishing and impersonation attacks, you need to get to enforcement, not remain at p=none indefinitely. A setting of p=none generates a lot of potentially useful raw data. But it’s only with a policy of quarantine or reject that you will begin to see the anti-impersonation and anti-phishing benefits of DMARC.
At enforcement—p=quarantine or p=reject—the only mail using your domain that gets through is the mail you have authorized. Everything else is sent to spam or deleted without being delivered.
DMARC at enforcement can help with deliverability. ISPs that make delivery decisions based on the sending domain’s reputation will consider your DMARC status. We’ve seen customers whose marketing campaigns’ delivery rates increased by as much as 5 to 10 percent when they moved to an enforcement policy.
Unfortunately, most companies that attempt DMARC don’t actually get to enforcement. In our research, Valimail has found that an average of 75 to 80 percent of domains that have published a DMARC record are unable to get to enforcement. That means they either had configuration errors or, more commonly, had simply gotten stuck at p=none—often for months or even years.
Staying in monitor mode, at a DMARC policy of p=none, provides the same protection as if you had no DMARC record.
Getting to enforcement is where the real benefits of email authentication kick in. Without it, you’re just collecting more data.
Start monitoring your DMARC policy for free
Not sure if your domain is protected, or if you’re stuck at p=none? You’re not alone. Most organizations never make it past monitoring mode, leaving themselves vulnerable to phishing and domain spoofing attacks.
Valimail Monitor gives you instant free visibility into your domain’s DMARC configuration and email-sending sources. In just a few minutes, you can see who’s sending on your behalf, identify unauthorized activity, and get clear next steps to move toward full DMARC enforcement.
No complicated setup. No commitment. Just the insight you need to start securing your domain with confidence.
Why should you use Valimail Monitor? We have a few reasons:
- Trusted by 80,000+ domains: Valimail is the leader in DMARC visibility and enforcement. Monitor is our foundational tool—and it’s always free.
- Track all your sending sources in one place: Get daily DMARC reports translated into human-readable dashboards, so you can quickly spot issues and take action.
- Use for free with no trials or credit cards: We believe that visibility should always be free, so you can use Monitor as long as you need to without worrying about your trial running out or paying for anything.
DMARC policies FAQs
What does “DMARC policy p=none” mean?
A DMARC policy of p=none means you’re not taking any enforcement action. You’re only monitoring failures.
Is “p=none” safe to leave on long term?
No, Valimail recommends getting to a stronger DMARC policy of quarantine or reject. p=none offers no protection against phishing. It’s only useful as a temporary step while collecting data.
Should I use p=quarantine or p=reject?
Use p=quarantine as a transitional phase. Once you’ve verified all legit sources are aligned, move to p=reject for full protection.
Can DMARC improve email deliverability?
Yes. Mailbox providers reward authenticated domains. Enforcing DMARC can improve deliverability by building domain trust.
