Reject (DMARC)
A DMARC reject policy (p=reject) blocks unauthenticated emails. Learn how it works, when to use it, and how DMARCeye helps domains reach full enforcement.
What Is a Reject Policy in DMARC?
A Reject Policy in DMARC tells receiving mail servers to block any message that fails DMARC authentication. It is the most stringent enforcement level and is defined by the tag p=reject in a DMARC DNS record.
When a domain uses a reject policy, emails that fail SPF and DKIM alignment are rejected outright at the mail gateway and never reach the recipient’s inbox or spam folder.
How Does a Reject Policy Work?
A DMARC record includes a policy (p=) tag that instructs mail servers on how to handle messages that fail authentication. The three options are none, quarantine, and reject.
Here’s an example of a DMARC record using a reject policy:
v=DMARC1; p=reject; rua=mailto:dmarc-reports@example.com; ruf=mailto:forensics@example.com
When a message fails both SPF and DKIM alignment under this configuration, the receiving server will refuse delivery. The sender receives a bounce message (SMTP 550 status), indicating that the email was not accepted due to failed authentication.
This strict enforcement prevents unauthorized parties from using your domain to send fraudulent or spoofed emails.
Benefits and Considerations of Using Reject
Enabling a reject policy provides the strongest possible protection against domain spoofing and phishing attacks. It ensures that only properly authenticated messages are accepted under your domain name, strengthening both security and brand reputation.
However, before moving to a reject policy, an organization should first:
- Deploy SPF and DKIM for all legitimate sending services.
- Use p=none and p=quarantine for monitoring and testing.
- Review DMARC aggregate reports to confirm that all authorized senders pass authentication.
Moving to p=reject too early can cause legitimate mail to be blocked if it’s not properly aligned.
Reject Policy and DMARCeye
DMARCeye helps organizations transition safely to a reject policy by providing clear visibility into authentication performance.
Through its reporting dashboard, DMARCeye shows which senders are failing DMARC checks and whether your legitimate mail streams are ready for full enforcement. When your data confirms stable authentication, DMARCeye guides you toward implementing a reject policy confidently, closing the door to spoofing and unauthorized use of your domain.
Sign up for a free trial of DMARCeye today and secure your email domain.
To learn more about DMARC and DMARC-related terms, explore the DMARCeye Glossary.