Home/ Glossary/ DMARC Reject Policy

DMARC Reject Policy (DMARC Reject)

Security Glossary - Email Authentication

Definition: The DMARC reject policy (p=reject) instructs receiving mail servers to refuse delivery of emails that fail DMARC authentication. Rejected emails are not delivered to the inbox, spam folder, or anywhere else. This is the strongest DMARC policy and provides the most effective protection against email spoofing.

Why You Should Care About DMARC Reject

A DMARC reject policy is the gold standard for email domain protection. It tells every receiving server to block emails that fail authentication, effectively preventing anyone from successfully impersonating your domain via email. Major email providers enforce reject policies reliably.

The path to p=reject requires thorough preparation. Every legitimate email source must be properly authenticated with SPF and DKIM, and alignment must be verified. Moving to reject without this preparation will cause legitimate email to be silently dropped - the sender receives a bounce, but the intended recipient never knows the email existed.

Once deployed, p=reject also enables BIMI (displaying your brand logo in email clients) and significantly improves your domain's sender reputation. Email providers trust domains with DMARC enforcement more than those without, which can improve overall deliverability of your legitimate email.

Checking Your Setup

A DNS health checker shows your DMARC policy. Reaching p=reject is the goal of the DMARC deployment process: start with p=none, move to p=quarantine with gradual pct increase, and finally set p=reject once all legitimate email passes authentication.

See how your site handles DMARC Reject

Check DNS Health

Questions and Answers

What percentage of domains use p=reject?
Adoption varies by industry. Among major companies and government agencies, p=reject adoption is growing. However, many smaller domains still use p=none. Major email providers like Google require bulk senders to have at least p=quarantine.
Can I use p=reject with mailing lists?
Mailing lists can cause DMARC failures because they modify messages and forward from different IPs. ARC (Authenticated Received Chain) helps preserve authentication through mailing lists. Most modern mailing list software and major email providers handle ARC, making p=reject compatible.

Learn More

Domain-based Message Authentication, Reporting and Conformance DMARC Policy Types DMARC Quarantine Policy Brand Indicators for Message Identification Email Spoofing
Disclaimer: DomainOptic provides automated informational scans only. Results do not constitute professional security advice, compliance certification, or a guarantee of security. Always verify findings independently.