Your DMARC policy is your instruction to email providers like Gmail and Outlook: “Here’s what I want you to do with emails that fail verification.” You have three choices, and picking the right one — and knowing when to upgrade — is the key to protecting your domain without accidentally blocking your own emails.
p=none — Monitoring Mode (“Watch and Learn”)
What happens: Emails that fail DMARC checks are delivered normally — nothing changes for your recipients. But you start receiving daily reports showing exactly who is sending email using your domain, and whether those emails are passing or failing.
When to use:
- You’re setting up DMARC for the first time
- You’re not sure which services send email on your behalf (marketing tools, CRMs, invoicing, etc.)
- You need to see what’s happening before you start blocking anything
How long to stay here: At least 2–4 weeks. That’s enough time to see a full reporting cycle and discover all the services sending email as your domain. Think of it as an audit — you need to know who’s on the guest list before you start turning people away at the door.
v=DMARC1; p=none; rua=mailto:reports@dmarccloud.com
p=quarantine — Spam Mode (“Suspicious? Go to Junk”)
What happens: Emails that fail DMARC checks get sent to the recipient’s spam or junk folder instead of their inbox. The emails aren’t lost — they’re just flagged as suspicious.
When to use:
- Your reports show that all your legitimate email services are passing DMARC
- You’ve set up SPF and DKIM for every service that sends email as your domain
- You want protection but with a safety net — if something’s misconfigured, the email lands in spam rather than disappearing entirely
Tip — roll it out gradually:
v=DMARC1; p=quarantine; pct=10; rua=mailto:reports@dmarccloud.com
The pct=10 setting means the quarantine rule only applies to 10% of failing emails at first. Start small, watch the reports for a week, then increase to 25%, 50%, and finally 100%.
p=reject — Full Protection (“Block the Fakes”)
What happens: Emails that fail DMARC checks are blocked entirely. The recipient never sees them — not in their inbox, not in spam. They simply don’t arrive.
When to use:
- You’ve been on quarantine at 100% for a while and no legitimate emails are being affected
- You want maximum protection against people impersonating your business by email
- You’re required to for compliance (Google and Yahoo now require DMARC for bulk senders; PCI DSS 4.0 also requires it)
p=reject, emails from a misconfigured legitimate service will be silently dropped. The sender won’t get a bounce message and won’t know their email didn’t arrive. Make absolutely sure all your sending services are properly set up before turning this on.
v=DMARC1; p=reject; sp=reject; rua=mailto:reports@dmarccloud.com
The Recommended Path to Full Protection
| Step | Setting | How Long | What You’re Doing |
|---|---|---|---|
| 1. Watch | p=none |
2–4 weeks | Reviewing reports, discovering all email senders |
| 2. Fix | p=none |
1–2 weeks | Adding SPF/DKIM for all legitimate senders |
| 3. Test | p=quarantine; pct=10 |
1 week | Testing with a small percentage |
| 4. Expand | p=quarantine; pct=50 |
1 week | Increasing coverage, checking for problems |
| 5. Full quarantine | p=quarantine |
2 weeks | Confirming everything works at 100% |
| 6. Full protection | p=reject |
Ongoing | Maximum protection — fake emails are blocked ✓ |
Don’t Forget Your Subdomains (sp=)
Even if your main domain (yourdomain.com) is fully protected, attackers can still try to impersonate subdomains like billing.yourdomain.com or support.yourdomain.com. If you don’t explicitly set a subdomain policy, subdomains inherit whatever you’ve set for the main domain.
You can also set them separately — for example, protecting the main domain while keeping subdomains in monitoring mode during a migration:
v=DMARC1; p=reject; sp=none; rua=mailto:reports@dmarccloud.com
Main domain fully protected; subdomains in monitoring mode (useful while you’re still setting up subdomain senders).
Start your path to full protection
Generate a DMARC record with monitoring enabled. Free, takes 2 minutes.