DMARC: from p=none to quarantine/reject (without breaking mail)

A safe rollout path for DMARC policies and what alignment means in real life.
2026-02-228 min readdeliverabilitydmarcdnssecurity

DMARC tells receivers what to do when your visible From domain is spoofed or misaligned. Passing DMARC is also a trust signal for inbox placement.

Start with p=none (monitoring)

_dmarc.example.com TXT "v=DMARC1; p=none; rua=mailto:dmarc@example.com"

p=none does not enforce. It helps you observe alignment and discover unknown senders.

Move to quarantine, then reject

  • p=quarantine: mail that fails DMARC may be sent to spam/junk.
  • p=reject: mail that fails DMARC should be rejected.
  • Consider pct=10 → 25 → 50 → 100 if you want gradual rollout.

If DMARC fails while SPF and DKIM pass

That’s usually alignment: the domain in header.from must align with the domain that passed SPF (smtp.mailfrom) or DKIM (header.i). Fix by signing with the same domain, or adjusting Return-Path / custom domain in your ESP.

Goal
Aim for Authentication-Results: spf=pass, dkim=pass, dmarc=pass for your primary sending domain.
Open feedback form