What is a P= Policy (DMARC)?
The p= policy tag in a DMARC record instructs receiving mail servers how to handle messages that fail authentication. It defines the domain owner’s chosen response to unauthenticated email and serves as the core directive for DMARC enforcement. The policy can be set to none, quarantine, or reject, each representing a progressively stronger level of protection.
By publishing a p= policy in DNS, organizations communicate to mailbox providers whether messages that fail both SPF and DKIM alignment should be monitored, flagged, or rejected outright. This decision affects how recipients treat spoofed or unauthenticated emails that appear to come from the domain.
An example DMARC record with a reject policy:
v=DMARC1; p=reject; rua=mailto:dmarc-reports@example.comDMARC policy options:
Organizations often start with p=none to gather aggregate reports before moving to stronger enforcement levels. This staged approach ensures legitimate senders are properly configured before full rejection is enabled.
The choice of DMARC policy depends on authentication maturity and domain risk tolerance. Best practices include:
p=none and analyze reports for several weeksp=quarantine once legitimate sources pass authenticationp=reject for complete domain protectionDMARCeye provides visibility into the real-world impact of your DMARC p= policy. It monitors pass and fail outcomes across mail streams, helping identify sources that would be quarantined or rejected. This allows administrators to fine-tune policies with confidence and gradually move toward full enforcement without disrupting legitimate communication.
Sign up for a free trial of DMARCeye today and secure your email domain.
To learn more about DMARC and DMARC-related terms, explore the DMARCeye Glossary.