When you're setting up DMARC for the first time, you'll encounter a series of 'tags' that define your policy. One of the most important, and in fact mandatory, tags is the 'p' tag. This tag tells receiving email servers what to do with messages that claim to be from your domain but fail DMARC authentication checks.
The core of the question is about its 'default' value. This can be a bit confusing because the 'p' tag is a required component of any DMARC record. You can't publish a valid DMARC record without it. So, in a technical sense, there is no default value because you must explicitly set one.
However, the question usually arises from people wondering what value they should use when starting out. In that context, the recommended, and safest, starting policy is p=none.
Understanding the 'p' tag values
The 'p' tag, which stands for 'policy', is the instruction you give to mail servers. According to eSecurityPlanet, it "instructs the participating recipient email server what to do with mail that doesn't pass the SPF or DKIM checks". There are three possible values you can set:
- p=none: This is the monitoring-only policy. It tells receivers to take no specific action against failing emails but to send DMARC reports to the address specified in your 'rua' tag. This is the essential first step. As Mailgun points out, "The p=none tag makes no changes to your existing arrangement".
- p=quarantine: This policy asks receivers to treat failing emails with suspicion. Typically, this means sending them to the recipient's spam or junk folder.
- p=reject: This is the strictest policy. It requests that receivers completely block and reject any email that fails DMARC checks. The email will not be delivered at all.
- A DMARC record must contain one of these three values; any other value is invalid. For example, a common mistake is using p=monitor, which is not a valid policy.
Why 'p=none' is the required starting point
While the 'p' tag is mandatory, the DMARC specification requires that it must be present. You cannot leave it out. The reason p=none is considered the 'default' starting point is because implementing DMARC without monitoring first is dangerous. If you immediately set your policy to quarantine or reject, you could inadvertently block legitimate emails from being delivered.
Starting with p=none allows you to collect DMARC aggregate reports and analyze your email streams. You can see which services are sending on your behalf and whether they are correctly configured for SPF and DKIM. Once you are confident that all legitimate mail is authenticating correctly, you can then safely move to a stricter policy.
Related tags: 'sp' and 'pct'
It's also worth noting how the 'p' tag interacts with other optional tags, which do have default behaviors.
The 'sp' tag (subdomain policy): This tag sets a specific policy for your subdomains. If you do not include an 'sp' tag in your DMARC record, subdomains will inherit the policy set by the 'p' tag. So if you have p=reject and no 'sp' tag, the policy for your subdomains also defaults to reject. Klaviyo's documentation explains this well: "it is common for the sp tag to be omitted in a DMARC record, in which case the sp tag defaults to the value of the p tag."
The 'pct' tag (percentage): This tag allows you to apply your policy to a certain percentage of failing emails. This is useful for gradually rolling out a quarantine or reject policy. If you don't include a 'pct' tag, it defaults to 100, meaning the policy applies to 100% of emails that fail DMARC.
Conclusion
To summarize, there is no true default value for the DMARC 'p' tag because it is a mandatory component of a valid record. You must choose one of the three options: none, quarantine, or reject.
However, for anyone starting their DMARC journey, the universally recommended starting policy is p=none. This acts as the de facto 'default' for a safe and effective implementation, allowing you to monitor your email ecosystem before enforcing stricter policies that could impact your email deliverability.
