medium7 min readLast updated May 22, 2026

DMARC Policy: From None to Quarantine to Reject

DMARC ties SPF and DKIM together. Learn the three policy levels (none, quarantine, reject) and how to implement DMARC safely without breaking email.

What is DMARC?

DMARC (Domain-based Message Authentication, Reporting and Conformance) is a DNS record that builds on top of SPF and DKIM. It tells receiving mail servers what to do when an email fails SPF or DKIM checks, and where to send reports about authentication failures.

DMARC is the third and final piece of the email authentication stack -- without it, SPF and DKIM are just monitoring, not enforcement.

The three DMARC policies

p=none (Monitor only)

v=DMARC1; p=none; rua=mailto:dmarc@yourdomain.com
  • Receiving servers accept all email regardless of SPF/DKIM result
  • You receive reports about failures (useful for discovery)
  • Use for: Initial setup and monitoring before enforcement

p=quarantine (Soft enforcement)

v=DMARC1; p=quarantine; rua=mailto:dmarc@yourdomain.com
  • Emails that fail authentication go to the spam folder
  • Legitimate email still gets delivered (just to spam)
  • Use for: Most organisations once SPF and DKIM are confirmed working

p=reject (Full enforcement)

v=DMARC1; p=reject; rua=mailto:dmarc@yourdomain.com
  • Emails that fail authentication are rejected entirely
  • The sender receives a bounce message
  • Use for: When you are confident all legitimate senders are properly authenticated

How to implement DMARC safely

Step 1: Make sure SPF and DKIM are working first

DMARC requires at least one of SPF or DKIM to pass AND align with the From domain. If you enable DMARC enforcement before SPF/DKIM are set up correctly, you will block legitimate email.

Step 2: Start with p=none

Add this DNS TXT record to your domain:

Name:   _dmarc.yourdomain.com
Type:   TXT
Value:  v=DMARC1; p=none; rua=mailto:dmarc@yourdomain.com

Replace dmarc@yourdomain.com with an email address you monitor.

Step 3: Analyse DMARC reports

After a few weeks, you will receive XML reports showing which servers are sending email for your domain and whether they pass authentication. Use a DMARC report analyser like dmarcian or Google Postmaster Tools to read them easily.

Step 4: Fix any legitimate senders that are failing

If you see legitimate services failing authentication, fix their SPF/DKIM setup before moving to enforcement.

Step 5: Move to p=quarantine

Once you are confident all legitimate senders pass authentication, change to p=quarantine.

Step 6: Move to p=reject (when ready)

After running on quarantine with no issues, move to p=reject for full protection.

DMARC alignment explained

DMARC checks that the domain in the From header aligns with:

  • The domain that passes SPF (the envelope sender)
  • The domain in the DKIM signature

If they do not align, DMARC fails even if SPF and DKIM individually pass. This is the most common cause of DMARC failures with third-party sending services.

How SurfaceScan helps

SurfaceScan checks DMARC configuration for every root domain in your scope. It reports missing DMARC records and p=none policies (which provide no protection) as findings in the Email Security section.

Related articles

How to Set Up DKIM for Your Domain

DKIM prevents email spoofing by adding a cryptographic signature to outgoing emails. Step-by-step setup guide for common email providers.

SPF Records: What They Are and How to Fix Them

SPF tells receiving mail servers which servers are allowed to send email for your domain. Learn softfail vs hardfail and fix common SPF mistakes.

← Back to Help Center