DMARC provides three policy modes, each controlling how receiving mail servers should handle emails that fail DMARC authentication. The outcome of DMARC evaluation depends on the results and alignment of SPF and/or DKIM.
Below is an explanation of each policy:
This policy is commonly referred to as a monitoring-only policy.
Emails that fail or pass DMARC authentication are still delivered normally
No enforcement action is taken by receiving servers
Aggregate (RUA) and forensic (RUF, if enabled) reports are generated
This policy is used to gain visibility into your email ecosystem without impacting email delivery.
✔ Best for:
Initial DMARC deployment
Identifying legitimate and unauthorized sending sources
Fixing SPF and DKIM alignment issues
The quarantine policy instructs receiving mail servers to treat emails that fail DMARC authentication as suspicious.
Emails failing DMARC are typically delivered to the spam or junk folder
Emails passing DMARC are delivered to the inbox
Enforcement depends on the receiver’s spam filtering logic
✔ Best for:
Intermediate enforcement
Testing impact before full rejection
Reducing spoofing while monitoring false positives
The reject policy instructs receiving mail servers to not deliver emails that fail DMARC authentication.
Emails failing DMARC are blocked outright
Emails passing DMARC are delivered normally
Provides the strongest protection against spoofing and phishing
✔ Best for:
Mature DMARC deployments
Domains with fully authenticated email sources
Maximum brand and domain protection
If you are starting with TDMARC, the recommended approach is:
Start with p=none
Monitor reports
Identify all legitimate sending sources
Correct SPF and DKIM configurations
Move to p=quarantine
Gradually enforce DMARC
Validate that legitimate emails are not impacted
Transition to p=reject
Fully block unauthorized and spoofed emails
Achieve maximum DMARC protection
If you have any questions or encounter any issues, please contact us at support@threatcop.com