A DMARC record can be set to be in one of three different policies as indicated by the "p=" below.
- v=DMARC1; p=none;
- v=DMARC1; p=quarantine;
- v=DMARC1; p=reject;
Typically, when you implement DMARC for the first time you will start with a policy of p=none. This policy means that you are in reporting-only mode and you don't want any policy to be applied to your emails if they fail DMARC. During this stage you are simply gaining visibility into how your domain is being used around the world and what services are sending emails on your behalf. At this stage you simply identify your legitimate sending services and configure each one with SPF and DKIM so that they send DMARC compliant emails.
Once you are confident that your sending services are fully configured you can change your DMARC policy from p=none; to p=quarantine. This means that from this point on any emails that fail DMARC will have this policy applied to them, which means that usually they will be sent to the spam folder of the recipient.
If you do not encounter any issues during the p=quarantine; stage and only spoofing emails are being quarantined you can change the policy once more from p=quarantine; to p=reject;. At this stage you are telling recipients to reject any emails that fail DMARC. This means that end recipients will never receive the emails, they will simply be rejected at the SMTP level and will not be found. This is the strongest level of protection which means that no one will be able to spoof your domain. Any emails that do not originate from your legitimate sending services will be rejected as they will fail DMARC.