What is DMARC p= (Policy)?
The DMARC p= tag defines the enforcement policy that receiving mail servers should apply when messages fail DMARC authentication. It specifies whether unauthenticated emails should be delivered, quarantined, or rejected. This tag is the backbone of DMARC enforcement, guiding how recipients handle potentially spoofed or fraudulent messages that do not align with SPF and DKIM checks.
The policy is defined within the domain’s DMARC TXT record in DNS. Typical DMARC policies include “none,” “quarantine,” and “reject.” Each represents a progressively stricter level of protection, allowing organizations to build trust and confidence before moving to full enforcement.
Example DMARC record:
v=DMARC1; p=quarantine; rua=mailto:dmarc-reports@example.comIn this example, the p=quarantine directive tells receiving mail servers to send failing messages to the spam or junk folder instead of rejecting them outright.
DMARC policy options include:
Organizations typically start with p=none while collecting and analyzing aggregate reports. Once all legitimate sending sources are properly authenticated, they progress to quarantine and eventually reject for full protection against domain spoofing.
Best practices include:
DMARCeye provides visibility into how your chosen p= policy impacts real-world mail flow. Its reporting dashboards reveal how many messages pass or fail authentication, where failures occur, and what impact quarantine or rejection has on legitimate mail.
By correlating policy results with authentication data, DMARCeye helps organizations confidently advance from monitoring to full enforcement, protecting their domains from abuse while maintaining deliverability.
Sign up for a free trial of DMARCeye today and secure your email domain.
To learn more about DMARC and DMARC-related terms, explore the DMARCeye Glossary.