What should my DMARC policy be?

Your DMARC policy should be set to reject as the long-term goal, but most senders should work up to it gradually. The right policy at any given moment depends on how confident you are that your legitimate email streams are properly authenticated. Starting too strict can accidentally block real mail, while staying too lenient leaves your domain exposed to spoofing and phishing attacks. This article walks through each policy option, when to use it, and what the major mailbox providers actually require.

What are the three DMARC policy options?

The three DMARC policy options are none, quarantine, and reject. Each tells receiving mail servers what to do when an email fails DMARC authentication. “None” takes no action and is used for monitoring. “Quarantine” sends failing messages to the spam folder. “Reject” blocks failing messages entirely before they reach the inbox.

These three policies form a progression that most domain owners follow in order:

• p=none: A monitoring-only policy. Failing emails are delivered as normal, but DMARC reports are still generated and sent to the addresses you specify. No mail is affected.
• p=quarantine: Emails that fail DMARC alignment are routed to the recipient’s spam or junk folder. This is a middle-ground enforcement level that limits damage while you continue to refine your setup.
• p=reject: The strongest policy. Emails that fail DMARC are refused by the receiving server entirely. They are not delivered, not quarantined – they are dropped.

Each policy is declared in your DNS record using the p= tag. You can also apply policies to a percentage of mail using the pct= tag, which is useful when testing enforcement before committing fully.

Should I start with DMARC policy ‘none’ or jump straight to enforcement?

You should almost always start with p=none before moving to enforcement. Jumping straight to “quarantine” or “reject” without first understanding your full email sending landscape is a common mistake that leads to legitimate mail being blocked or filtered. The “none” policy lets you observe without disrupting anything.

When you publish a DMARC record at “none,” you begin receiving aggregate reports (RUA reports) and forensic reports (RUF reports) from participating mail servers. These reports reveal every source sending email on behalf of your domain, including third-party platforms like CRMs, marketing tools, transactional email services, and helpdesk systems.

Before moving to enforcement, you need to confirm that every legitimate sending source is properly covered by either SPF or DKIM and that DMARC alignment is passing. Rushing past the monitoring phase is one of the most frequent causes of deliverability incidents. Spend at least two to four weeks at “none,” analyzing reports and fixing authentication gaps, before moving forward.

When should I move from ‘quarantine’ to ‘reject’?

You should move from p=quarantine to p=reject when your DMARC reports consistently show a very high pass rate for your legitimate mail and you have identified and resolved all known authentication issues. A common benchmark is seeing 95% or more of your mail passing DMARC before making the final switch.

The quarantine stage serves as a final validation step. While at “quarantine,” monitor your reports carefully for any unexpected failures. Pay particular attention to:

• Third-party senders that may not yet be aligned
• Forwarded email, which can sometimes break DKIM signatures
• New sending tools or integrations added to your stack
• Any business units or teams that send email independently

If you are using the pct= tag, you can incrementally increase enforcement – for example, starting at pct=10 and working up to 100 before switching to “reject.” This gradual approach gives you a safety net during the transition.

What happens to email if my DMARC policy is set to ‘reject’?

When your DMARC policy is set to reject, any email that fails DMARC authentication is refused by the receiving mail server and never delivered. The message is not placed in spam – it is rejected outright during the SMTP transaction. The sender typically receives a bounce notification indicating the message was not accepted.

This is the most protective setting for your domain. It makes it extremely difficult for bad actors to send phishing or spoofing emails that appear to come from your domain, because those messages will fail authentication and be rejected before reaching any inbox.

However, “reject” also means there is no second chance for legitimate mail that fails authentication. If a sending source is misconfigured, those messages will bounce. This is why reaching “reject” only after thorough monitoring and remediation matters so much. Once you are at “reject” with confidence, your domain is well protected and your sender reputation benefits from the signal of strong authentication.

What DMARC policy do Google and Yahoo require?

Google and Yahoo require senders to have a DMARC policy published, but they do not require enforcement. As of their 2024 bulk sender requirements – which remain in effect in 2026 – both providers require a DMARC record with at least p=none for domains sending more than 5,000 messages per day to Gmail or Yahoo addresses.

This means the minimum to comply is simply having a valid DMARC record in DNS. You are not required to be at “quarantine” or “reject” to meet their baseline. However, reaching enforcement is still strongly recommended because it actively protects your domain from abuse and signals trustworthiness to receiving servers.

It is worth noting that these requirements apply to the domain in the “From” header. If you use a custom sending domain through a third-party ESP, that domain needs its own DMARC record. Compliance is tied to the domain your recipients see, not the underlying sending infrastructure.

How do I check what my current DMARC policy is?

You can check your current DMARC policy by looking up the TXT record published at _dmarc.yourdomain.com in DNS. The record will contain a p= tag that shows your active policy. If no record exists, you have no DMARC policy in place at all.

There are several straightforward ways to look this up:

1. Use a free DMARC lookup tool: Tools like MXToolbox or Google Admin Toolbox allow you to enter your domain and instantly see your full DMARC record parsed in plain language.
2. Use the command line: On Mac or Linux, run dig TXT _dmarc.yourdomain.com. On Windows, use nslookup -type=TXT _dmarc.yourdomain.com.
3. Check through your DNS provider: Log into your domain registrar or DNS management platform and look for a TXT record at the _dmarc subdomain.

Beyond just seeing the policy value, reviewing the full record is worthwhile. Check whether your RUA and RUF report addresses are correctly configured, whether a pct= tag is limiting enforcement, and whether subdomain policies (sp=) are set as intended. A record that looks correct at a glance can still have gaps that affect how enforcement actually works.

How Email Industries helps with DMARC policy setup and enforcement

Getting your DMARC policy right requires more than just publishing a DNS record. It takes ongoing monitoring, careful analysis of authentication reports, and coordinated remediation across every sending source your domain uses. That is exactly where we come in.

At Email Industries, we help organizations at every stage of the DMARC journey:

• DMARC record audits: We review your existing record and identify gaps in policy, reporting configuration, and subdomain coverage.
• Authentication alignment: We help ensure SPF, DKIM, and DMARC are properly aligned across all your legitimate sending sources, including third-party platforms.
• Report analysis: We interpret your aggregate and forensic DMARC reports to identify unauthorized senders, misconfigured tools, and authentication failures.
• Enforcement roadmap: We guide you through the move from “none” to “quarantine” to “reject” on a timeline that protects deliverability while closing security gaps.
• Ongoing monitoring: We keep watch after enforcement is in place so new sending sources or configuration changes do not create unexpected issues.

Whether you are just getting started with DMARC or you have been stuck at “none” for longer than you intended, we can help you move forward with confidence. Feel free to contact us to talk through where your domain stands and what the right next step looks like for your organization.

Related Articles

• How do email deliverability agencies stay updated on algorithm changes?
• How do email marketing services agencies handle client data security?
• What types of emails should you send first during IP warming?
• What is email list building strategy?
• Can agencies guarantee delivery recovery timelines?
• How long does it take to improve email deliverability?
• How do delivery agencies handle international email regulations?
• What delivery benchmarks separate good from poor performance?
• What happens during the initial assessment with a deliverability agency?
• How do you choose the best email advertising agency?
• How do you know when your email platform migration is complete?
• How do deliverability agencies approach IP warming strategies?
• What is email marketing strategy consulting?
• How do email advertising agencies handle client retention?
• What A/B testing methods do email agencies use?