How Does DMARC Policy Work?

How Does DMARC Policy Work?

DMARC policy works by: receiving mail servers check SPF and DKIM authentication results for incoming emails; DMARC evaluates whether SPF or DKIM passed and aligned with the From domain; if authentication fails or doesn't align, DMARC policy is applied (none, quarantine, or reject); DMARC policies specify how ISPs should handle emails that fail authentication; and DMARC generates reports showing authentication results and policy enforcement.

DMARC policy enforcement protects domains from spoofing, improves deliverability, and provides visibility into email authentication. Configure DMARC policies starting with 'none' for monitoring, then progress to 'quarantine' and 'reject' for stronger protection.

Check DMARC policies using our DMARC lookup tool. Learn more about DMARC and DMARC alignment.

DMARC Policy Types

DMARC supports three policy types:

none (Monitor Only)

p=none - Accept emails but monitor authentication results. No enforcement action is taken. Used for testing and monitoring DMARC without affecting email delivery.

quarantine (Quarantine)

p=quarantine - Send emails that fail authentication to spam folders. Provides protection while allowing some delivery. Used after verifying authentication is working correctly.

reject (Reject)

p=reject - Block emails that fail authentication entirely. Provides maximum protection but requires careful setup. Used when confident in authentication configuration.

Policy Progression

Start with 'none' for monitoring, progress to 'quarantine' after verification, and finally to 'reject' for maximum protection.

Policy Evaluation

Authentication Check

DMARC evaluates SPF and DKIM authentication results to determine if emails are authentic.

Alignment Check

DMARC checks alignment between authentication domains (SPF/DKIM) and From domain. Learn more about DMARC alignment.

Pass Requirements

For DMARC to pass, either SPF or DKIM must pass AND align with the From domain.

Failure Handling

If DMARC fails (both SPF and DKIM fail or don't align), DMARC policy is applied (none, quarantine, or reject).

Policy Application

ISPs apply DMARC policies based on policy type: none (accept), quarantine (spam), or reject (block).

Policy Enforcement

none Policy

none policy: emails are accepted regardless of authentication results, but results are logged and reported.

quarantine Policy

quarantine policy: emails that fail authentication are sent to spam folders, providing protection while allowing delivery.

reject Policy

reject policy: emails that fail authentication are blocked entirely, providing maximum protection against spoofing.

Enforcement Benefits

DMARC policy enforcement: prevents email spoofing, improves deliverability, protects domain reputation, and provides email security.

Enforcement Monitoring

Monitor DMARC reports to track policy enforcement and authentication results, ensuring policies are working correctly.

Configuring DMARC Policies

1. Start with 'none'

Begin with p=none for monitoring: v=DMARC1; p=none; rua=mailto:dmarc@example.com

2. Monitor Results

Monitor DMARC reports to understand authentication results and identify issues before enforcing policies.

3. Progress to 'quarantine'

After verifying authentication, progress to p=quarantine: v=DMARC1; p=quarantine; rua=mailto:dmarc@example.com

4. Finalize with 'reject'

Once confident in authentication, move to p=reject: v=DMARC1; p=reject; rua=mailto:dmarc@example.com

5. Verify Configuration

Use our DMARC lookup tool and authentication checker to verify DMARC policies are configured correctly.

6. Monitor Continuously

Continuously monitor DMARC reports to ensure policies are working correctly and adjust as needed.