3,932 Australian domains analysed. Most fail basic email authentication. [2026 Report]

DMARC Policy

The action a domain owner asks receivers to take when a message fails DMARC: monitor (none), quarantine, or reject.

Definition

The DMARC policy is the action a domain owner asks receivers to take when a message fails DMARC authentication and alignment. It is set via the p= tag in the DMARC record and takes one of three values: none (monitor only — do not affect delivery), quarantine (treat the message as spam, typically routing it to the spam folder), or reject (refuse delivery outright at the SMTP layer). The policy is published once at _dmarc.<domain> and applied by every participating receiver.

How it works

Domain owners almost always start at p=none — this is monitoring mode, and it lets you receive aggregate reports about who is sending under your domain without affecting any actual delivery. The first 14–30 days at p=none are critical: they reveal every legitimate sender that needs to be authorised and every shadow IT mail source you didn't know existed.

Once aggregate reports show that all legitimate senders are passing SPF or DKIM with alignment, the next step is p=quarantine, often combined with the pct= tag (e.g. p=quarantine; pct=10) to apply quarantine to only a percentage of failing mail at first. Quarantine is reversible: if a legitimate sender is missed, mail goes to spam rather than disappearing entirely. Finally, after another monitoring period, the policy progresses to p=reject — usually with pct=100 — at which point the domain is fully protected and no unauthorised sender can deliver under your name.

The sp= tag separately controls policy for subdomains, useful when subdomains are managed differently from the organisational domain.

Example

A staged DMARC policy progression over four months:

// Month 1 — monitoring only
v=DMARC1; p=none; rua=mailto:rua@example.com

// Month 2 — quarantine 10% of failures
v=DMARC1; p=quarantine; pct=10; rua=mailto:rua@example.com

// Month 3 — quarantine all failures
v=DMARC1; p=quarantine; pct=100; rua=mailto:rua@example.com

// Month 4 — reject all failures
v=DMARC1; p=reject; pct=100; rua=mailto:rua@example.com

Related Terms

DMARC An email authentication policy framework that uses SPF and DKIM to detect and prevent doma... DMARC Alignment The check that requires the SPF or DKIM domain to match the visible From header domain in... RUA (Aggregate Report) A daily XML summary report sent by mail receivers to a DMARC-publishing domain, listing ev...

Automate your DMARC

DMARC Busta puts SPF, DKIM, and DMARC management on autopilot — across one domain or 10,000.

Start free trial