A DMARC record is only as strong as its policy. p=none watches, p=quarantine sends failing mail to spam, and p=reject blocks it outright. The goal is to reach p=reject, because that is the setting that actually stops impersonation. The risk is moving too fast and blocking your own legitimate mail. Here is how to advance safely.
The three policies
- p=none takes no action. Receivers still send you reports, so this is monitoring mode. It gives you visibility but zero protection.
- p=quarantine tells receivers to treat failing mail as suspicious, usually delivering it to the spam folder.
- p=reject tells receivers to refuse failing mail entirely. This is the target and the only policy that fully prevents spoofing.
Advance in stages, not in one jump
- Start at p=none and read your aggregate reports until you can see every legitimate sender and confirm they pass SPF or DKIM with alignment.
- Fix the failing senders first. A tool that signs but is not aligned, or a service missing from your SPF record, will be blocked the moment you enforce. Resolve these while still at
p=none. See how to fix DKIM alignment. - Move to p=quarantine, optionally with
pct=to apply it to a fraction of mail first, for examplep=quarantine; pct=25. - Move to p=reject once quarantine runs clean with no surprises.
Do not skip the reports
The reports are what make this safe. They are the difference between an informed decision and a guess. Advancing without reading them is how legitimate mail gets blocked.
Check your current policy
Scan your domain to see which policy you publish today and whether reporting is switched on.
Reads public DNS only. Nothing is stored unless you save the domain to an account.