What does p=none mean in a DMARC record?

p=none is a monitoring-only DMARC policy. Emails that fail DMARC are still delivered normally - nothing is blocked or quarantined. It is the safe starting point for collecting data on who is sending mail from your domain before enforcing a stricter policy.

What is the difference between p=quarantine and p=reject in DMARC?

p=quarantine tells receiving mail servers to send failing emails to the spam or junk folder. p=reject tells them to refuse delivery entirely. Use quarantine first when moving from p=none to allow for edge cases, then move to reject when you are confident all legitimate senders pass DMARC alignment.

Why is my DMARC record not being found?

DMARC must be published as a TXT record at the exact subdomain _dmarc.yourdomain.com - not at the root domain. Check that the record name starts with an underscore and that the type is TXT. DNS propagation can also delay visibility for up to a few hours after publishing.

What is the rua tag in DMARC and do I need it?

rua specifies where aggregate DMARC XML reports are sent. You do not need it for DMARC to work, but without it you cannot see which senders are failing alignment. Add rua=mailto:your@domain.com to start collecting reports. Make sure that mailbox exists.

Can DMARC break my email delivery?

At p=none DMARC cannot break delivery. At p=quarantine or p=reject it can cause legitimate mail to be filtered or rejected if senders are not properly aligned. Always start at p=none, review reports, fix any failing legitimate senders, then move to enforcement gradually using the pct tag.

DMARC Analyzer

Built for operators & agencies

Live DNS - no cached APIs

No login required

No data retention

Privacy first diagnostics

Prevents blacklisting - not causes it

Fetch your DMARC record and explain what it actually does.

Opinionated advice: Start with p=none + rua, then move to quarantine/reject only after you confirm alignment is clean.

If you moved to enforcement already and mail started disappearing, stop guessing run the emergency check.

Fast workflow

Analyze DMARC
Run /check to confirm SPF+DKIM alignment
Use FixKit if anything fails

warning Emergency scan cards_stack See plans

What DMARC really controls

DMARC is not “another DNS record for deliverability”. It is a policy layer on top of SPF and DKIM. It answers one question: does this message authenticate, and does it align with the visible From domain?

That last part, alignment, is why people get confused. SPF can pass for a bounce domain and still fail DMARC. DKIM can pass with a signing domain that does not match the From domain and still fail DMARC. DMARC cares about what the recipient sees in the From header.

When you should run a DMARC check

You are seeing dmarc=fail in Gmail or Outlook headers.
You set up DMARC years ago and forgot what it is doing now.
You are about to move from p=none to quarantine or reject.
You use multiple senders (newsletters, transactional, outreach) and want to avoid breaking legit mail.

The tags that matter most

v: must be DMARC1.
p: policy for the root domain: none, quarantine, or reject.
rua: aggregate reports mailbox. This is how you see who is sending on your domain.
ruf: forensic/failure reports (often not supported or privacy-limited now, so don’t rely on it).
adkim and aspf: alignment mode. r is relaxed, s is strict.
pct: percentage of mail affected. Useful for gradual rollout.
sp: policy for subdomains. People forget this and accidentally break subdomain sending.

Common scenarios that trigger DMARC failure

1) SPF passes but DMARC fails

This is almost always SPF alignment. The sending IP is allowed, but it authenticated a different domain than the visible From domain. Fix: configure a custom MAIL FROM / return-path domain in your ESP, or rely on DKIM alignment.

2) DKIM passes but DMARC fails

The message is signed, but the signing domain (d=) does not align with the From domain. Fix: enable “sign with your domain” or “custom DKIM” in the provider so DKIM uses your domain.

3) DMARC is correct, but your mail still goes to spam

DMARC passing does not guarantee inbox placement. Reputation, engagement, list quality, and complaint rate still matter. DMARC is table stakes, not a magic button.

How to roll out DMARC safely

Start at p=none: publish DMARC with rua so you can see senders in reports.
Fix alignment first: make sure your main senders pass DMARC consistently.
Use pct to ramp: move to quarantine with pct=10, then 25, 50, 100.
Then consider reject: only when you are confident no legit streams are failing.

If you have subdomain sending (for example news.example.com), pay attention to sp.