---
title: "Enforcement rules for DMARC for optimum protection against phishing and spoofing | DuoCircle"
description: "Enforcement rules for DMARC for optimum protection against phishing and spoofing."
image: "https://www.duocircle.com/images/og-default.png"
canonical: "https://www.duocircle.com/blog/dmarc/dmarc-enforcement-rules-optimal-protection-against-phishing-spoofing/"
---

Quick Answer

DMARC has three policy values that tell receiving servers how to handle mail that fails authentication. p=none is monitoring only: failures are reported but mail is still delivered. Use it during initial deployment to discover legitimate senders without disrupting delivery. p=quarantine instructs receivers to send failing mail to the spam folder. It is the bridge policy, blocking spoofed mail from the inbox while keeping false positives recoverable. p=reject blocks failing mail outright; recipients never see it, even in spam. The pct tag (for example pct=20) applies the chosen policy to a percentage of failing mail, which lets domains stage the rollout and watch for legitimate mail being caught before going to 100\. Reject is the only policy that fully stops domain spoofing, but it requires every legitimate sender to be aligned with SPF or DKIM first.

Enforcement rules for DMARC for optimum protection against phishing and spoofing

Your browser does not support the audio element.

[ Download episode](https://media.mailhop.org/duocircle/images/2025/01/Enforcement-rules-for-DMARC-for-optimum-protection-against-phishing-and-spoofing.mp3) 

Share 

[ ](https://www.linkedin.com/sharing/share-offsite/?url=undefined%2Fblog%2Fdmarc%2Fdmarc-enforcement-rules-optimal-protection-against-phishing-spoofing%2F "Share on LinkedIn") [ ](https://twitter.com/intent/tweet?text=Enforcement%20rules%20for%20DMARC%20for%20optimum%20protection%20against%20phishing%20and%20spoofing&url=undefined%2Fblog%2Fdmarc%2Fdmarc-enforcement-rules-optimal-protection-against-phishing-spoofing%2F "Share on X/Twitter") [ ](https://www.facebook.com/sharer/sharer.php?u=undefined%2Fblog%2Fdmarc%2Fdmarc-enforcement-rules-optimal-protection-against-phishing-spoofing%2F "Share on Facebook") [ ](https://reddit.com/submit?url=undefined%2Fblog%2Fdmarc%2Fdmarc-enforcement-rules-optimal-protection-against-phishing-spoofing%2F&title=Enforcement%20rules%20for%20DMARC%20for%20optimum%20protection%20against%20phishing%20and%20spoofing "Share on Reddit") [ ](mailto:?subject=Enforcement%20rules%20for%20DMARC%20for%20optimum%20protection%20against%20phishing%20and%20spoofing&body=Check out this article: undefined%2Fblog%2Fdmarc%2Fdmarc-enforcement-rules-optimal-protection-against-phishing-spoofing%2F "Share via Email") 

![DMARC for optimum protection](https://media.mailhop.org/duocircle/images/2025/01/spf-record-tester-3.jpg) 

Just like SPF offers domain owners the choice between **Softfail and Hardfail**, DMARC has three enforcement rules: none, quarantine, and reject. Each has its own significance and relevance in the [DMARC compliance](/dmarc/a-guide-to-checking-dmarc-compliance/) journey. 

The adoption rate took a steep surge after **Google and Yahoo** made it mandatory for all bulk senders to deploy DMARC. As of September 2024, nearly [6.8 million domains](https://www.darkreading.com/cybersecurity-operations/time-get-strict-dmarc) had email sender authentication configured.

However, there is still confusion among domain owners as to which policy is right for their domain. Here is a detailed article on each of the [DMARC policies](/dmarc/a-guide-to-advancing-dmarc-policies-for-enhanced-email-deliverability/) and the **percentage tag**. 

## The ‘none’ policy

The ‘none’ policy is represented by p=none, and it is the most permissive setting in DMARC. It’s actually meant only for **monitoring purposes**. When you deploy this policy, no punitive action is taken against emails that didn’t pass DMARC checks. Emails are delivered as usual to recipients, irrespective of passing or failing the authentication checks. 

[![authentication checks](https://media.mailhop.org/duocircle/images/2025/01/SMTP-server-mail-7004.jpg)](https://media.mailhop.org/duocircle/images/2025/01/SMTP-server-mail-7004.jpg)

It’s recommended that the ‘none’ policy be applied in the initial stage of DMARC setup so that it helps you observe and gather data on **how recipients’ mailboxes** are handling emails sent from your domain. You get the information that enables you to decide whether it’s time to step up the security game and start with stricter policies (quarantine or reject). 

As a domain owner, you can **identify the legitimate sources** sending emails on behalf of your domain without disrupting email flow. What else you will know is if any spoofing or [phishing attack](https://thehackernews.com/2024/03/new-strelastealer-phishing-attacks-hit.html) is being attempted in your name. With the collected data, you can adjust your SPF, DKIM, and DMARC records before you apply the ‘quarantine’ or ‘reject’ policy. 

### Use cases for the ‘none’ policy

This monitoring policy is generally advised to be used in **these three conditions**\-

1. Companies that have just deployed DMARC start with the p=none policy so that they can understand if their SPF, [DKIM](/resources/what-is-dkim), and DMARC records are correctly configured.
2. Businesses that have **complex email services spanning** across multiple channels, like marketing, transactional, and promotional, use the p=none policy to ensure that legitimate sources are authenticated correctly before enforcing stricter rules that come with p=quarantine or p=reject.
3. Lastly, p=none is used for domains that are not actively used for sending emails.

## The ‘quarantine’ policy

The ‘**quarantine’ policy** is stricter than the ‘none’ policy. It’s useful for companies that are ready to take action on [illegitimate emails](https://www.linkedin.com/pulse/illegitimate-emails-protect-yourself-indigo-it-limited) sent from their domain but are still not confident to have such emails blocked outright. 

[![DMARC Quarantine Policy](https://media.mailhop.org/duocircle/images/2025/01/email-smtp-service-2.jpg)](https://media.mailhop.org/duocircle/images/2025/01/email-smtp-service-2.jpg)

_When enforcing the ‘quarantine’ policy, you instruct the receiving mailboxes to deliver unauthenticated emails to spam folders_. This is a **safer policy** because it preserves visibility while preventing phishing. The [flagged emails](https://www.bleepingcomputer.com/news/microsoft/microsoft-disables-bad-spam-rule-flagging-all-sent-emails-as-junk/) remain accessible to recipients, allowing them to review the content if necessary.

The ‘quarantine’ policy is the **stepping stone** or the transitional step between p=none and p=reject. With this, you can continue collecting data through [DMARC aggregate and forensic reports](/resources/dmarc-aggregate-report) and use them rationally to understand if SPF, DKIM, and [DMARC records](/resources/dmarc-records) need any changes. 

If an unauthorized person sends a potential phishing email to one of your clients, and your DMARC policy is set to ‘quarantine,’ then the recipient’s mailbox will place it in the spam folder. _This minimizes the chances of the target falling into the trap and getting duped_. This ultimately reduces the rate of phishing attacks targeting your [brand’s reputation](https://www.business.com/articles/protect-brand-reputation/), helping to instill **trust among your customers**. 

It’s considered a safe option because if there is a false positive, the **quarantined emails** will remain accessible in [spam folders](https://cybernews.com/news/microsofts-breach-notification-emails-end-up-in-spam-folder/). This way, recipients can still open the messages and report them as legitimate if necessary.

### Use cases for the ‘quarantine’ policy

The ‘quarantine’ policy is mainly used in three cases-

1. The p=quarantine policy is often used when domain owners are confident in their [SPF](/resources/what-is-spf) and DKIM setups but want to test stricter enforcement without completely rejecting emails.
2. _Domains frequently targeted by spoofing, such as those in finance, healthcare, or e-commerce, often use p=quarantine to improve security while minimizing operational risks_.
3. Misconfigurations in **email sources are quickly identified**, as legitimate emails ending up in spam can be reviewed and adjusted (e.g., updating SPF/DKIM records).

## The ‘reject’ policy

This is the strictest **DMARC policy enforced** to provide maximum protection against [email spoofing](https://www.bbc.com/news/technology-49857948), phishing, and other email-based threats, ensuring optimal [email security](/) for your domain. With the ‘reject’ policy, the receiving [mail server](https://www.techtarget.com/whatis/definition/mail-server-mail-transfer-transport-agent-MTA-mail-router-Internet-mailer) rejects emails that fail DMARC checks. Such emails are never delivered to recipients’ inboxes (not even in their spam folders), ensuring the targets don’t open them. _The rejected emails usually generate a bounce notification, providing information about the failure to the sender if they are legitimate_. 

However, it comes with the risk of false positives if [legitimate emails](https://www.trendmicro.com/vinfo/us/security/definition/legitimate-bulk-emails) from misconfigured sources get blocked. It will impact communication and reputation. There is also a drawback of operational dependencies because if you have applied the strictest DMARC policy, you must have a well-maintained email ecosystem. Moreover, you need to hire someone to **monitor and analyze DMARC reports.** 

### Use cases for the ‘reject’ policy

Not many domain owners use the ‘reject’ policy because the confidence to handle it isn’t easy to come by. Here are the situations in which enforcing the ‘reject’ policy is ideal-

1. It should only be used when the domain owner or the DMARC administrator is confident that all **legitimate email sources** are authenticated adequately with SPF and DKIM. Companies handling [sensitive data](https://www.securityweek.com/deloitte-says-no-threat-to-sensitive-data-after-hacker-claims-server-breach/) should use the ‘reject’ policy for their domains.
2. This policy is also best suited for primary domains **handling sensitive communications** or [transactional emails](https://medium.com/@bigworks/a-guide-to-transactional-emails-1c20c25eb808), where security is paramount.

## The DMARC percentage (pct) tag

The percentage (pct) tag in a DMARC record lets domain owners apply their policy (‘none,’ ‘quarantine,’ or ‘reject) to a specified percentage of emails. This gradual rollout helps test the policy’s impact before full enforcement. For example, setting ‘pct=20’ applies the policy to 20% of outgoing emails, leaving the rest unaffected. This reduces the risk of disruptions from misconfigurations and allows organizations to monitor [DMARC reports](/content/dmarc-report) for issues, such as legitimate emails failing checks. It’s especially useful when transitioning to stricter policies like quarantine or reject while **fine-tuning email systems**.

## Topics

DKIMDMARCemail securityspf 

![Brad Slavin](https://media.mailhop.org/dmarcreport/images/team/brad-slavin.jpg) 

Brad Slavin 

General Manager

General Manager at DuoCircle. Product strategy and commercial lead across the email security portfolio.

## Secure your email infrastructure

Protect, authenticate, and deliver. Contact our team to find the right solution.

[Contact Sales](/contact/) [Explore Products](/products/) 

## Related Articles

[  DMARC 6m  How to become a DMARC expert: a 6-step learning path  Sep 24, 2024 ](/blog/dmarc/a-detailed-guide-on-becoming-a-dmarc-expert/)[  DMARC 6m  A guide to detecting DMARC problems using the pentesting techniques  Oct 3, 2024 ](/blog/dmarc/a-guide-to-detecting-dmarc-problems-using-the-pentesting-techniques/)[  DMARC 6m  Avoiding common BIMI pitfalls: What goes wrong and how to fix it  Jun 24, 2025 ](/blog/dmarc/avoiding-bimi-pitfalls-common-errors-and-how-to-fix-them/)[  DMARC 3m  Can threat actors bypass DMARC?  Feb 21, 2025 ](/blog/dmarc/can-threat-actors-bypass-dmarc/)

```json
{"@context":"https://schema.org","@type":"Organization","name":"DuoCircle LLC","url":"https://www.duocircle.com","logo":{"@type":"ImageObject","url":"https://www.duocircle.com/images/duocircle-logo.png"},"description":"DuoCircle is a portfolio of specialized email products covering protection, authentication, delivery, and routing. We deliver about 90% of category-leader capability at roughly half the price, backed by experts who own the outcome. Trusted by 50,000+ organizations since 2014.","subOrganization":[{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897912","name":"Phish Protection","url":"https://www.phishprotection.com"}],"sameAs":["https://www.linkedin.com/company/duocircle","https://x.com/duocirclellc","https://www.facebook.com/duocirclellc","https://www.g2.com/products/phish-protection-by-duocircle/reviews","https://github.com/duocircle","https://www.crunchbase.com/organization/duocircle-llc"],"contactPoint":{"@type":"ContactPoint","contactType":"customer support","url":"https://support.duocircle.com"},"knowsAbout":["Email Security","Email Authentication","SPF","DKIM","DMARC","Phishing Protection","Spam Filtering","SMTP Relay","Email Deliverability","Email Forwarding"]}
```

```json
{"@context":"https://schema.org","@type":"WebSite","name":"DuoCircle LLC","url":"https://www.duocircle.com","description":"DuoCircle is a portfolio of specialized email products covering protection, authentication, delivery, and routing. We deliver about 90% of category-leader capability at roughly half the price, backed by experts who own the outcome. Trusted by 50,000+ organizations since 2014.","publisher":{"@type":"Organization","name":"DuoCircle LLC","url":"https://www.duocircle.com","logo":{"@type":"ImageObject","url":"https://www.duocircle.com/images/duocircle-logo.png"},"description":"DuoCircle is a portfolio of specialized email products covering protection, authentication, delivery, and routing. We deliver about 90% of category-leader capability at roughly half the price, backed by experts who own the outcome. Trusted by 50,000+ organizations since 2014.","subOrganization":[{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897912","name":"Phish Protection","url":"https://www.phishprotection.com"}]}}
```

```json
[{"@context":"https://schema.org","@type":"BlogPosting","headline":"Enforcement rules for DMARC for optimum protection against phishing and spoofing","description":"Enforcement rules for DMARC for optimum protection against phishing and spoofing.","url":"https://www.duocircle.com/blog/dmarc/dmarc-enforcement-rules-optimal-protection-against-phishing-spoofing/","datePublished":"2025-01-15T20:59:00.000Z","dateModified":"2025-04-22T14:40:55.000Z","dateCreated":"2025-01-15T20:59:00.000Z","author":{"@type":"Person","@id":"https://www.duocircle.com/authors/brad-slavin/#person","name":"Brad Slavin","url":"https://www.duocircle.com/authors/brad-slavin/","jobTitle":"General Manager","description":"Brad Slavin runs DuoCircle, the company behind DMARC Report, AutoSPF, Phish Protection, and Mailhop. His focus is product strategy, customer relationships, and the commercial and compliance side of email authentication (DPAs, SLAs, enterprise procurement).","image":"https://media.mailhop.org/dmarcreport/images/team/brad-slavin.jpg","knowsAbout":["Email Security Strategy","SaaS Product Management","Enterprise Compliance","Customer Success","Email Deliverability Business"],"worksFor":{"@type":"Organization","name":"DuoCircle LLC","url":"https://www.duocircle.com"},"sameAs":["https://www.linkedin.com/in/bradslavin"]},"publisher":{"@type":"Organization","name":"DuoCircle LLC","url":"https://www.duocircle.com","logo":{"@type":"ImageObject","url":"https://www.duocircle.com/images/duocircle-logo.png"},"description":"DuoCircle is a portfolio of specialized email products covering protection, authentication, delivery, and routing. We deliver about 90% of category-leader capability at roughly half the price, backed by experts who own the outcome. Trusted by 50,000+ organizations since 2014.","subOrganization":[{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897912","name":"Phish Protection","url":"https://www.phishprotection.com"}]},"mainEntityOfPage":{"@type":"WebPage","@id":"https://www.duocircle.com/blog/dmarc/dmarc-enforcement-rules-optimal-protection-against-phishing-spoofing/"},"articleSection":"dmarc","keywords":"DKIM, DMARC, email security, spf","wordCount":1037,"image":{"@type":"ImageObject","url":"https://media.mailhop.org/duocircle/images/2025/01/spf-record-tester-3.jpg","caption":"DMARC for optimum protection","width":900,"height":600},"speakable":{"@type":"SpeakableSpecification","cssSelector":[".answer-block","h1"]}},{"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"name":"Blog","item":"https://www.duocircle.com/blog/"},{"@type":"ListItem","position":2,"name":"DMARC"},{"@type":"ListItem","position":3,"name":"Enforcement rules for DMARC for optimum protection against phishing and spoofing","item":"https://www.duocircle.com/blog/dmarc/dmarc-enforcement-rules-optimal-protection-against-phishing-spoofing/"}]}]
```

```json
{"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https://www.duocircle.com/"},{"@type":"ListItem","position":2,"name":"Blog","item":"https://www.duocircle.com/blog/"},{"@type":"ListItem","position":3,"name":"DMARC","item":"https://www.duocircle.comundefined"},{"@type":"ListItem","position":4,"name":"Enforcement rules for DMARC for optimum protection against phishing and spoofing","item":"https://www.duocircle.com/blog/dmarc/dmarc-enforcement-rules-optimal-protection-against-phishing-spoofing/"}]}
```

```json
{"@context":"https://schema.org","@type":"BlogPosting","headline":"Enforcement rules for DMARC for optimum protection against phishing and spoofing","description":"Enforcement rules for DMARC for optimum protection against phishing and spoofing.","url":"https://www.duocircle.com/blog/dmarc/dmarc-enforcement-rules-optimal-protection-against-phishing-spoofing/","datePublished":"2025-01-15T20:59:00.000Z","dateModified":"2025-04-22T14:40:55.000Z","dateCreated":"2025-01-15T20:59:00.000Z","author":{"@type":"Person","@id":"https://www.duocircle.com/authors/brad-slavin/#person","name":"Brad Slavin","url":"https://www.duocircle.com/authors/brad-slavin/","jobTitle":"General Manager","description":"Brad Slavin runs DuoCircle, the company behind DMARC Report, AutoSPF, Phish Protection, and Mailhop. His focus is product strategy, customer relationships, and the commercial and compliance side of email authentication (DPAs, SLAs, enterprise procurement).","image":"https://media.mailhop.org/dmarcreport/images/team/brad-slavin.jpg","knowsAbout":["Email Security Strategy","SaaS Product Management","Enterprise Compliance","Customer Success","Email Deliverability Business"],"worksFor":{"@type":"Organization","name":"DuoCircle LLC","url":"https://www.duocircle.com"},"sameAs":["https://www.linkedin.com/in/bradslavin"]},"publisher":{"@type":"Organization","name":"DuoCircle LLC","url":"https://www.duocircle.com","logo":{"@type":"ImageObject","url":"https://www.duocircle.com/images/duocircle-logo.png"},"description":"DuoCircle is a portfolio of specialized email products covering protection, authentication, delivery, and routing. We deliver about 90% of category-leader capability at roughly half the price, backed by experts who own the outcome. Trusted by 50,000+ organizations since 2014.","subOrganization":[{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897912","name":"Phish Protection","url":"https://www.phishprotection.com"}]},"mainEntityOfPage":{"@type":"WebPage","@id":"https://www.duocircle.com/blog/dmarc/dmarc-enforcement-rules-optimal-protection-against-phishing-spoofing/"},"articleSection":"dmarc","keywords":"DKIM, DMARC, email security, spf","wordCount":1037,"image":{"@type":"ImageObject","url":"https://media.mailhop.org/duocircle/images/2025/01/spf-record-tester-3.jpg","caption":"DMARC for optimum protection","width":900,"height":600},"speakable":{"@type":"SpeakableSpecification","cssSelector":[".answer-block","h1"]}}
```