p=reject is the DMARC notation for the Reject policy. It instructs the receiver not to deliver email that does not pass either SPF or DKIM authentication for a given domain.

At p=reject the receiving mailbox will never deliver the failing message to the end user’s email inbox. The receiver will include the results of this policy action in the DMARC reports for that domain.

Use case

Often referred to as reject mode, the p=reject policy completely eliminates failing messages from delivery to end users. It is the most secure DMARC setting, as there is no chance for an end user to discover and act on a rejected message. In most cases p=reject represents the best end state for DMARC.

We recommend against leaving production domains in p=none (also known as monitoring mode) or p=quarantine for longer than necessary to prove that a DMARC implementation is correct or rectify any problems discovered. In all but the most unusual of cases, domain owners should strive to get their DMARC implementations to p=reject as soon as is practical.