What DMARC settings should I use and what are the implications of using p=reject?

Summary

Implementing DMARC, particularly the 'p=reject' policy, requires a strategic and cautious approach. Documentation explains 'p=reject' instructs recipient servers to reject messages failing authentication, offering the strongest protection against spoofing. However, experts and marketers emphasize careful planning is paramount. The consistent recommendation is to begin with 'p=none' to monitor traffic, identify authentication issues, and ensure proper SPF and DKIM configuration across all sending sources (ESP, CRM, etc.) before moving to stricter policies. DMARC reporting (via rua/ruf tags) is vital for understanding the impact of your policy and identifying potential problems. It is also important to understand DMARC alignment. DMARC enhances deliverability by preventing spoofing and phishing, but maintaining good sending practices remains essential.

Key findings

  • Phased Implementation: A phased approach, starting with 'p=none' for monitoring, is recommended for DMARC implementation.
  • Authentication Foundation: Correct SPF and DKIM configuration is crucial across all sending sources before enforcing 'p=reject'.
  • Reporting Importance: DMARC reporting provides essential insights into policy impact and authentication failures.
  • DMARC Alignment: Proper SPF and DKIM passing (alignment) are important for messages to pass DMARC authentication checks.
  • Deliverability Boost: DMARC, particularly 'p=reject', improves deliverability by preventing spoofing and enhancing sender reputation.
  • Reject Valid: 'p=reject' is stronger than 'p=none'.

Key considerations

  • Premature Enforcement Risks: Implementing 'p=reject' prematurely can block legitimate emails if authentication is not properly configured.
  • Comprehensive Source Audit: Audit and authenticate all email sending sources (ESP, CRM, etc.).
  • Continuous Monitoring is needed: Regularly monitor DMARC reports to identify and address authentication issues and potential misconfigurations.
  • Holistic Approach Required: DMARC is not a single solution; good sending practices are still needed to avoid blocklists.
  • Expert Assistance: Reject without reporting can be problematic, monitoring and configuration is needed.
  • Case Study Caution: Implementing p=reject requires support/guidance.

What email marketers say
11Marketer opinions

The advice regarding DMARC settings, particularly the 'p=reject' policy, emphasizes a cautious, phased approach. Starting with 'p=none' is widely recommended to monitor email traffic and identify authentication issues without disrupting delivery. Ensuring proper SPF and DKIM configuration is crucial before implementing stricter policies like 'p=reject' to prevent legitimate emails from being blocked. DMARC reporting plays a vital role in understanding the impact of your policy and identifying potential problems. DMARC alignment is also important, with proper SPF and DKIM passing being required for messages to pass DMARC authentication. While DMARC improves deliverability by preventing spoofing, it doesn't guarantee it and good sending practices are still important.

Key opinions

  • Phased Approach: Implementing DMARC effectively requires a phased approach, starting with 'p=none' for monitoring and gradually increasing enforcement.
  • Authentication First: Ensure SPF and DKIM are correctly configured for all email sending sources before implementing 'p=reject'.
  • Reporting is Key: DMARC reporting is crucial for understanding the impact of your DMARC policy and identifying authentication failures.
  • DMARC alignment: SPF and DKIM need to pass alignment checks for messages to pass DMARC authentication.
  • Improved delivery: DMARC improves delivery, specifically by preventing spoofing and phishing attacks.

Key considerations

  • Premature Rejection: Implementing 'p=reject' prematurely can block legitimate emails if SPF or DKIM are misconfigured.
  • Complete Configuration: Ensure all email sending sources (ESP, CRM, etc.) are properly authenticated.
  • Ongoing Monitoring: Continuously monitor DMARC reports to identify and address authentication issues.
  • DMARC is not a panacea: While DMARC improves deliverability, it doesn't stop you from being blocklisted if you don't maintain good sending practices.
Marketer view

Email marketer from Valimail shares that starting with 'p=none' is a recommended practice. This allows you to monitor DMARC reports and identify any legitimate email sources that are failing authentication before moving to a stricter policy like 'p=quarantine' or 'p=reject'.

March 2022 - Valimail
Marketer view

Email marketer from Spamhaus explains that while DMARC helps protect against direct spoofing, it doesn't automatically prevent you from being blocklisted for other spam-related issues. You still need to maintain good sending practices.

February 2022 - Spamhaus
Marketer view

Email marketer from Mailhardener stresses that DMARC, particularly with 'p=reject', significantly improves email deliverability by preventing spoofing and phishing attacks, thereby enhancing sender reputation with email providers.

September 2023 - Mailhardener
Marketer view

Email marketer from GlockApps emphasizes the critical role of DMARC reporting (both aggregate and forensic) in understanding the impact of your DMARC policy. States that monitoring reports is crucial for identifying authentication failures and making informed decisions about your DMARC policy.

October 2021 - GlockApps
Marketer view

Email marketer from Proofpoint explains that DMARC implementation involves phases. Starting with monitoring ('p=none'), then quarantining ('p=quarantine') a percentage of failing emails before finally rejecting all failing emails ('p=reject'). They emphasise the importance of monitoring reports at each stage.

February 2025 - Proofpoint
Marketer view

Email marketer from Email Marketing Forum user advises to ensure all email sending sources (ESP, CRM, etc.) are properly authenticated with SPF and DKIM before setting DMARC to 'p=reject' to avoid inadvertently blocking legitimate emails. Provides examples of common misconfigurations.

January 2022 - Email Marketing Forum
Marketer view

Email marketer from Postmark shares the value of a phased approach to DMARC, starting with a monitoring phase, then gradually increasing enforcement. Doing this helps to ensure legitimate email isn't blocked by an overly aggressive DMARC policy.

May 2021 - Postmark
Marketer view

Email marketer from Email Geeks recommends removing 'pct=100' from the DMARC record (as it's the default) and adding a 'rua' tag for aggregate reports.

January 2023 - Email Geeks
Marketer view

Email marketer from EasyDMARC warns that implementing 'p=reject' prematurely can result in legitimate emails being blocked if SPF or DKIM are not properly configured or if third-party services are not correctly authenticating email. Careful auditing is crucial.

April 2024 - EasyDMARC
Marketer view

Email marketer from Reddit user shares their experience implementing p=reject, highlighting the initial challenges of identifying and correcting misconfigured email sources but ultimately noting a significant reduction in spoofed emails and improved domain reputation. Recommends starting with p=none and ramping up slowly.

March 2025 - Reddit
Marketer view

Email marketer from ZeroBounce advises the importance of DMARC alignment (SPF and DKIM passing) for messages to pass DMARC authentication. Describes how even a 'p=none' policy can still impact deliverability if there are alignment issues.

November 2024 - ZeroBounce

What the experts say
5Expert opinions

The expert opinions on DMARC settings, especially regarding 'p=reject', highlight the importance of careful planning and monitoring. While 'p=reject' offers strong protection against spoofing, it demands thorough understanding of email streams and proper configuration of SPF and DKIM. Starting with 'p=none' for monitoring is generally recommended, along with appropriate reporting mechanisms. There's a consensus that using 'p=reject' without adequate preparation and ongoing monitoring can lead to significant deliverability issues and blocking legitimate emails.

Key opinions

  • Reject Valid: 'p=reject' is a valid and strong DMARC setting, stronger than 'p=none'.
  • Monitoring is Crucial: Using DMARC 'reject' requires thorough monitoring to prevent issues.
  • Preparation Needed: Proper SPF/DKIM setup is essential before enforcing 'p=reject'.
  • Understand Email Streams: Understanding email streams is important for implementing DMARC.

Key considerations

  • Advanced Practice: Using DMARC reject without reporting is an advanced practice and should be approached cautiously.
  • Potential for Issues: Improper implementation of 'p=reject' can lead to deliverability problems and blocking legitimate emails.
  • Ongoing Attention: Implementing 'p=reject' requires ongoing monitoring and adjustments to ensure legitimate email is properly authenticated.
  • Start with None: Starting with p=none will allow monitoring before taking action.
Expert view

Expert from Word to the Wise shares the implication of using p=reject, noting it tells receivers to reject messages failing authentication. This requires ensuring your legitimate email is properly authenticated to prevent deliverability problems, highlighting the importance of monitoring and correctly configuring SPF and DKIM.

March 2022 - Word to the Wise
Expert view

Expert from Email Geeks shares a cautionary tale about a company (Crayola's parent company) that implemented 'p=reject' without proper support, guidance, or reporting, leading to deliverability issues.

June 2021 - Email Geeks
Expert view

Expert from Email Geeks confirms that the DMARC setting 'p=reject' is valid and stronger than 'p=none', which is the minimum requirement.

February 2023 - Email Geeks
Expert view

Expert from Email Geeks explains that using DMARC reject without reporting is an advanced practice and advises caution, though he admits to using it himself.

May 2022 - Email Geeks
Expert view

Expert from Spam Resource explains that deploying DMARC involves understanding your email streams and ensuring proper SPF and DKIM setup before enforcing policies like p=reject. He recommends starting with p=none to monitor traffic and identify any legitimate sending sources that need correction.

February 2024 - Spam Resource

What the documentation says
4Technical articles

The documentation consistently explains that the DMARC 'p' tag dictates how recipient mail servers handle messages failing authentication. Options include 'none' (no action), 'quarantine' (mark as spam), and 'reject' (block). 'p=reject' provides the strongest anti-spoofing protection by instructing servers to reject failing emails, but necessitates careful monitoring to avoid unintended blocking of legitimate mail. The RFC 7489 provides the official specification. DMARC records can include 'rua' and 'ruf' for reporting.

Key findings

  • P Tag Definition: The DMARC 'p' tag defines the policy for handling emails that fail DMARC checks.
  • Reject Action: 'p=reject' instructs recipient servers to reject unauthenticated emails.
  • Strongest Protection: 'p=reject' provides the strongest level of protection against spoofing.
  • Official Specification: RFC 7489 formally defines the DMARC standard and the 'p' tag's values.

Key considerations

  • Monitoring Required: Using 'p=reject' requires careful monitoring to avoid blocking legitimate emails.
  • Potential for Blocking: Incorrect configuration can lead to legitimate emails being rejected.
  • Reporting Tags: 'rua' and 'ruf' tags are important for receiving reports on DMARC results.
Technical article

Documentation from DMARC.org explains that using 'p=reject' instructs recipient mail servers to reject emails that fail DMARC authentication. This provides the strongest level of protection against spoofing but requires careful monitoring to avoid blocking legitimate email.

August 2021 - DMARC.org
Technical article

Documentation from RFC 7489, the official DMARC specification, formally defines the 'p' tag and its possible values ('none', 'quarantine', 'reject'), detailing the expected behavior of receiving mail servers for each policy option. This is the definitive source for understanding DMARC policy implementation.

April 2023 - RFC Editor
Technical article

Documentation from Google Workspace Admin Help explains that the DMARC policy ('p' tag) tells the recipient's mail server what to do with messages that fail DMARC checks. Options include 'none' (take no action), 'quarantine' (mark as spam), and 'reject' (block the message).

August 2021 - Google Workspace Admin Help
Technical article

Documentation from Microsoft provides an example of a DMARC record with the 'p=reject' policy, illustrating its placement within the overall record structure and its interaction with other tags like 'rua' (reporting URI for aggregate reports) and 'ruf' (reporting URI for forensic reports).

September 2022 - Microsoft