What happens if p=reject without testing?

Blocks legitimate emails from misconfigured senders IntoDNS detects this by: IntoDNS recommends p=none → p=quarantine → p=reject progression

What happens if no subdomain policy (sp=)?

Subdomains inherit policy, may block legitimate email IntoDNS detects this by: IntoDNS checks if sp= is explicitly set for subdomain control

Back to Citations

DMARC Policy Configuration

Last updated: 2026-01-14RFC verified

Summary

DMARC policy determines what happens when email authentication fails. The three policy levels are p=none (monitor only), p=quarantine (spam folder), and p=reject (block delivery). Policy should be implemented gradually using the pct= parameter.

What Is DMARC Policy Configuration?

DMARC policy is specified in the p= tag of your DMARC DNS record. It controls enforcement when SPF or DKIM authentication fails. The policy applies to the percentage of emails specified by pct= (default 100%). Example: v=DMARC1; p=quarantine; pct=25; rua=mailto:[email protected]

Why DMARC Policy Configuration Matters for Email & DNS Security

DMARC policy is the enforcement layer of email authentication. p=none provides visibility but no protection. p=quarantine reduces phishing impact. p=reject completely blocks spoofing attempts. According to IntoDNS analysis, only 23% of domains with DMARC records have moved beyond p=none to enforcement policies. Gmail and Yahoo require p=quarantine minimum for bulk senders as of 2024.

How DMARC Policy Configuration Works (Technical)

1.Email fails SPF or DKIM authentication
2.Receiving server checks DMARC alignment
3.If alignment fails, apply DMARC policy
4.p=none: deliver normally, send report
5.p=quarantine: deliver to spam folder, send report
6.p=reject: block delivery entirely, send report
7.pct= controls percentage of emails policy applies to (gradual rollout)

Common Misconfigurations

❌ p=reject without testing

Consequence: Blocks legitimate emails from misconfigured senders

How IntoDNS detects this: IntoDNS recommends p=none → p=quarantine → p=reject progression

❌ No subdomain policy (sp=)

Consequence: Subdomains inherit policy, may block legitimate email

How IntoDNS detects this: IntoDNS checks if sp= is explicitly set for subdomain control

❌ pct=100 on first deployment

Consequence: All authentication failures enforced immediately, high risk

How IntoDNS detects this: IntoDNS recommends starting with pct=25 and gradually increasing

How IntoDNS.ai Detects & Scores This

IntoDNS validates DMARC policy syntax, checks policy strength (flags p=none as weak), validates pct= parameter, checks subdomain policy (sp=), and provides migration recommendations from none → quarantine → reject.

How To Fix DMARC Policy Configuration Issues

1.Start with p=none for monitoring: v=DMARC1; p=none; rua=mailto:[email protected]
2.Wait 2-4 weeks and analyze aggregate reports
3.Fix any legitimate senders failing authentication
4.Upgrade to gradual quarantine: p=quarantine; pct=25
5.Increase pct= by 25% every 2 weeks
6.At pct=100, monitor for 1 month
7.Final enforcement: p=reject; pct=100

References

Source: IntoDNS.ai – DNS & email security diagnostics

Last updated: 2026-01-14

Category: email

Tools & Resources

→ Email Security Test Tool → API Documentation → Developer Resources