DMARC Policy Types (DMARC Policy)
The Importance of DMARC Policy
Choosing the right DMARC policy is a balance between security and operational risk. A p=reject policy provides the strongest protection against email spoofing but will also block any legitimate email that is not properly authenticated. Deploying reject without thorough preparation can cause critical business emails to disappear.
The recommended rollout path is: p=none (collect data for 2-4 weeks), analyze reports to fix authentication gaps, p=quarantine with pct=25 (test with a fraction), gradually increase pct to 100, then finally p=reject. This staged approach catches configuration problems before they affect all email.
The sp tag in DMARC controls the policy for subdomains. Even if your main domain has p=reject, subdomains default to the parent policy unless sp is set differently. If you do not send email from subdomains, set sp=reject to prevent attackers from spoofing them.
Key Parameters
| Policy | DMARC Tag | Effect on Failing Email |
|---|---|---|
| none | p=none | No action, monitoring only |
| quarantine | p=quarantine | Delivered to spam/junk folder |
| reject | p=reject | Rejected by receiving server |
How to Test for DMARC Policy
A DNS health checker shows your DMARC policy and evaluates whether it is enforcing (quarantine or reject) or monitoring only (none). If you are still on p=none after collecting data for weeks, it may be time to move toward enforcement.