DMARC Policy
Also known as: Domain-based Message Authentication, Reporting & Conformance
DMARC is a DNS TXT record at `_dmarc.<domain>` that tells receiving mail servers what to do when a message claiming to be from your domain fails SPF and DKIM checks. The policy can be `p=none` (monitor only), `p=quarantine` (mark as spam), or `p=reject` (refuse delivery). DMARC also requests aggregate reports so the domain owner can see who is sending mail as them.
DMARC is the alignment layer on top of SPF and DKIM. A valid DMARC pass requires either SPF alignment (the SPF-authenticated domain matches the visible From) or DKIM alignment (the DKIM-signing domain matches the visible From). `p=none` is the safe starting policy. it monitors authentication results without affecting delivery, so you can confirm legitimate sources are passing before tightening. `p=quarantine` and `p=reject` actively protect the domain from spoofing.
What to set in 2026
For an actively sending domain with all senders aligned, `p=reject` is the standard. Google, Microsoft, and Yahoo's bulk-sender rules require `p=quarantine` or stricter for senders above 5,000/day to consumer addresses. `p=none` for a long-running domain reads as a deliverability red flag to modern receivers.
Why DMARC reports matter
The `rua=` tag in the DMARC record requests aggregate XML reports from receivers. These reports show every IP and domain claiming to send as you, with pass/fail counts. They are how you discover forgotten sending tools, expired SaaS subscriptions still sending, and active spoofing attempts. Tools like Postmark DMARC Monitoring, dmarcian, and Valimail consume the reports and present them readably.
Related reading
Frequently asked questions
Should a new domain start at p=reject?+
No. Start at `p=none` for at least four to six weeks, monitor aggregate reports for misaligned legitimate senders, fix them, then move to `p=quarantine` and finally `p=reject`. Jumping straight to reject on a domain with unknown senders will block legitimate mail.
Does p=reject affect cold outbound?+
Only positively, provided every cold-outbound tool is properly aligned via SPF or DKIM. Reject blocks spoofers using your domain; it does not block your own authorised sending.
Put this concept into practice
Free tools, articles, and features on this same topic.
Related glossary terms
Want accurate tracking that handles DMARC Policy?
Outsolvi tracks Outlook and Gmail with Tier 1 to 5 confidence scoring on opens, hot-lead detection, and AI reply sentiment at $7/user/mo billed yearly. 14-day free trial, no credit card.
Start 14-Day Free TrialNate built Outsolvi after watching every email-tracking tool he had ever used lie to him about opens. Outsolvi runs Tier 1 to 5 confidence scoring on every open, native in Outlook and Gmail, so the number on the dashboard is one a rep can actually act on.
We update these pages when the underlying mechanics change. new mailbox-provider rules, new tracker behavior, new measurement gaps. The dates above are real revisions, not auto-touches.