Defaults.Exposed

Defaults.Exposed › Reports

What Is DMARC? p=none, quarantine and reject Explained (2026)

Published 2026-07-01

Figures as of 2026-06-29 · methodology v7. Aggregate census data across 261 million graded domains. DMARC is the DNS policy that tells receiving mail servers what to do with messages that fail authentication. See how we grade.

DMARC is the instruction that decides whether a forged email in your name is rejected, quarantined, or delivered like normal. It has three settings — none, quarantine, reject — and only the last two actually protect you. Across 261 million domains, just 10.59% enforce. Most of the rest either publish nothing (75.11%) or a monitor-only record that looks like protection but stops nothing (14.29%). Here’s what each policy does.

What the three DMARC policies mean

DMARC ties SPF and DKIM to the visible “From” address and tells receivers what to do on a failure:

Together, quarantine and reject — the two enforcing policies — cover just 10.59% of domains. Only 8.89% collect the aggregate (rua) reports that tell you who’s sending in your name.

”We published DMARC” isn’t the same as “we enforce DMARC”

This is the trap. Publishing a record feels like the finish line, but a p=none record is a smoke detector with no battery — it observes, it doesn’t act. And typos silently downgrade you to nothing at all: 48,648 domains (0.07% of DMARC records) have a policy token receivers can’t read — misspellings like quarentine or the wrong language — so it’s treated as no policy. See why p=none is not protection and DMARC typos.

How do I set up DMARC?

Do it in order — enforcing before SPF and DKIM are solid will bounce your own mail:

  1. Publish SPF and DKIM first and confirm your legitimate mail passes both.
  2. Start at p=none with rua — a record like v=DMARC1; p=none; rua=mailto:you@yourdomain. Watch the reports for a few weeks to catch every real sender.
  3. Move to p=quarantine, then p=reject once the reports are clean. This last step is the one that actually stops impersonation. See fix DMARC.

Enforcement by domain ending

Higher is better — the share that actually blocks forgery. As of 2026-06-29:

Domain endingDMARC-enforcing
.nl (Netherlands)29.43%
.de (Germany)21.38%
.uk (United Kingdom)13.42%
.com9.50%
.net10.08%
.org10.01%
.xyz5.15%

Even the strongest large ending enforces on a minority of its domains.

Frequently asked questions

What is a DMARC record? A DNS TXT record at _dmarc.yourdomain starting v=DMARC1, whose p= value tells receivers what to do with mail that fails authentication: none, quarantine or reject.

Is p=none enough? No. p=none is monitor-only and blocks nothing. 14.29% of domains stop here and remain spoofable. Only quarantine or reject protects you.

What’s the difference between quarantine and reject? quarantine sends failing mail to spam; reject refuses it entirely. Reject is strongest. As of 2026-06-29, 5.28% of domains quarantine and 5.31% reject.

Will DMARC block my own email? Only if SPF or DKIM aren’t set up correctly first. That’s why you start at p=none, watch the reports, and tighten once your real senders all pass.

Is DMARC free? Yes — it’s a DNS record. The cost is the time to roll it out safely, not money.

Check your domain’s DMARC free

See whether your DMARC policy actually enforces — privately, and owner-only.

Check your domain → · Fix DMARC → · Can someone spoof my domain? → · How we grade → · Aggregate data only. Data stored and processed in the EU.