DMARC Policies Explained

The DMARC Question That Stops Most Businesses Cold

Almost every DMARC project hits the same wall:

“What happens if we break email?”

It’s a fair fear.
Email is business-critical.
Breaking it would be… awkward.

So what do many organisations do?

They publish DMARC.
Set p=none.
Pat themselves on the back.
And never touch it again.

Which is a bit like installing a burglar alarm that only logs crimes.

Let’s fix that and scare the word “p=none” out of boardrooms everywhere.

Quick Recap: What a DMARC Policy Actually Does

If you need a refresher on how DMARC fits with SPF and DKIM, start here: DMARC: The Email Security Standard You Can’t Afford to Ignore.

DMARC policies tell receiving mail servers what to do when an email claiming to be from your domain:

• Fails SPF
• Fails DKIM
• Fails alignment

Without a policy, receivers guess.
With a policy, they enforce.

If you need a refresher on how DMARC fits with SPF and DKIM, start here: DMARC: The Email Security Standard You Can’t Afford to Ignore.

For the technical breakdown: DMARC vs SPF vs DKIM: What They Do, How They Work, and Why You Need All Three.

This post focuses purely on policy behaviour.

The Three DMARC Policies (And What They Really Mean)

DMARC gives you three enforcement levels:

• p=none
• p=quarantine
• p=reject

They are not equal.
They are not interchangeable.
And only one of them actually stops spoofing.

Let’s walk through them properly.

p=none: Monitoring Mode (Not Protection)

What p=none Does

When DMARC is set to p=none:

• Emails are still delivered normally
• No enforcement is applied
• You receive DMARC reports
• Spoofed emails are not blocked

In plain English:

“Please tell me who’s impersonating us, but don’t stop them.”

When p=none Is Useful

p=none does have a legitimate purpose:

• Discovering all legitimate senders
• Identifying broken SPF or DKIM
• Understanding your email ecosystem

It is a temporary discovery phase.

When p=none Becomes a Problem

Staying on p=none long-term means:

• Your domain remains spoofable
• Brand impersonation continues
• Insurers remain unimpressed
• Attackers face zero resistance

This is the most common DMARC failure we see.

DMARC exists.
DMARC does nothing.

Morse Reality Check

p=none is not security.
It’s reconnaissance.

Useful? Yes.
Protective? Absolutely not.

p=quarantine: Controlled Enforcement

What p=quarantine Does

With p=quarantine:

• Failing emails are marked as suspicious
• They usually land in spam or junk
• Some receivers apply additional scrutiny

This is where DMARC starts reducing risk.

Why p=quarantine Is the Sweet Spot for Transition

This policy is ideal when:

• You’ve fixed most SPF/DKIM issues
• You want enforcement without full rejection
• You’re validating real-world impact

It acts as:

• A safety net
• A warning system
• A confidence builder

What p=quarantine Does Not Do

Let’s be honest:

• Some phishing emails may still land in spam
• Determined attackers may still reach users
• It’s not a hard stop

Better than nothing.
Still not the finish line.

Morse Translation

p=quarantine says:

“If it looks dodgy, treat it like rubbish.”

That’s progress.
But rubbish can still be opened.

p=reject: Full Enforcement (The Goal)

What p=reject Does

With p=reject enabled:

• Emails that fail DMARC are blocked outright
• They never reach inbox or spam
• Spoofing attempts stop dead

This is DMARC doing its actual job.

Why p=reject Matters More Than People Realise

When properly implemented, p=reject:

• Eliminates domain spoofing
• Protects your brand reputation
• Reduces invoice and payment fraud
• Improves deliverability for legitimate mail
• Strengthens cyber insurance position

This is not “advanced security”.

This is finished security.

The Big Myth: “Reject Will Break Email”

Here’s the truth:

DMARC doesn’t break email.
It exposes broken email.

If legitimate messages fail under p=reject, it means:

• A sender wasn’t authenticated
• Alignment was wrong
• A system was forgotten

Those are problems you already had.

DMARC just stops them hiding.

If you want to avoid that pain, read: Common DMARC mistakes that break legitimate email.

The Correct DMARC Policy Journey (Step by Step)

This is the safe, sane, grown-up path:

Step 1: Start with p=none

• Short-term only
• Collect reports
• Identify all senders

Step 2: Fix Alignment

• Clean SPF records
• Enable DKIM everywhere
• Align visible From domains

If this step is rushed, pain follows.

Step 3: Move to p=quarantine

• Monitor impact
• Catch edge cases
• Build confidence

Step 4: Enforce p=reject

• Block spoofing
• Lock down identity
• Sleep better

Slow is smooth.
Smooth is safe.

How DMARC Policy Affects the Business (Not Just IT)

Choosing the right DMARC policy isn’t a technical preference.
It’s a risk decision.

With p=none

• Fraud risk remains high
• Insurers raise eyebrows
• Boards assume protection that doesn’t exist

With p=reject

• Risk is measurably reduced
• Controls are defensible
• Security posture looks intentional

This is why DMARC increasingly shows up in:

• Cyber insurance applications
• Risk registers
• Audit conversations

We cover this in depth here: Email authentication and cyber insurance requirements.

The Morse Take

p=none is a start.
p=quarantine is progress.
p=reject is the point.

If your DMARC policy never moved beyond monitoring,
you didn’t implement DMARC –
you just observed the problem politely.

And attackers love polite.

How This Fits Into the Bigger Picture

This post is part of our DMARC & Email Authentication cluster, anchored by our main guide:

DMARC: The Email Security Standard You Can’t Afford to Ignore

Related reads:

• DMARC vs SPF vs DKIM
• Common DMARC mistakes
• How to read DMARC reports
• DMARC and cyber insurance

Dot. Dash. Enforced.