Defaults.Exposed › Glossary › DMARC policy: p=none vs p=reject

DMARC policy: p=none vs p=reject

Also known as: DMARC enforcement, p=none, p=reject, DMARC monitor mode

A DMARC record can either just watch fake email go by (p=none) or actually block it (p=reject) — and a lot of businesses think they're protected when they're only watching.

What it is

Every DMARC record contains a setting that decides what happens to email that fails the checks. The two that matter are:

• p=none — “monitor mode.” Providers still let fake email through; DMARC only watches and reports. It protects nobody on its own.
• p=reject — “enforcement mode.” Providers actively reject email that fails the checks. This is what stops impersonation.

There’s also p=quarantine (send fakes to spam), which is a middle step on the way to reject.

Why it matters to your business

This is one of the most common false comfort zones we see. A business turns on DMARC, sees the record exists, and assumes it’s protected — but the policy is left at p=none, which means scammers can still send fake invoices and payment requests in your name. The doorman is standing there, but he’s been told to wave everyone through.

Only p=reject (or quarantine as a stepping stone) actually shuts the door. The usual safe path is: start at none to gather reports and make sure you won’t block your own genuine mail, then move to quarantine, then to reject once you’re confident.

How to tell / what to do

Our free checker tells you not just whether DMARC exists but which policy it’s set to — so you can see if you’re protected or only watching. Moving from none to reject is a free change in your domain settings, best done in stages. See the DMARC fix guide.

Want to fix this on your own domain? See the free guide →