When setting up DMARC, one of the most important tags you’ll encounter is the p tag, which defines the policy for your domain. This tag instructs receiving mail servers on how to handle emails that fail DMARC authentication checks. It's a critical component because it dictates the enforcement level of your DMARC policy.
Many ask about a default value for the p tag, especially if it's omitted from the DMARC record. The reality is that DMARC requires an explicit policy. If the p tag is missing, the DMARC record is considered invalid by email receivers, and no DMARC policy will be applied. This means a receiving server will not take any enforcement action based on DMARC, effectively treating it as if there were no DMARC record for enforcement purposes.
While there isn't an implicit default value that mail servers would assume, the closest functional equivalent to a p tag not providing enforcement is setting it explicitly to p=none. This policy allows you to collect DMARC reports without affecting email delivery, which is ideal for initial setup and monitoring. It's crucial to distinguish between an omitted p tag (invalid record) and an explicitly set p=none policy (valid record with no enforcement).
Understanding the DMARC 'p' tag
The DMARC p tag, short for 'policy', specifies what an email receiver should do with an email that fails DMARC authentication (meaning it fails either SPF or DKIM alignment, or both). There are three possible values for this tag, each with distinct implications for your email deliverability and security.
P=none: This policy tells receiving mail servers to take no specific action against emails that fail DMARC. These emails will still be delivered, but you will receive DMARC reports, which are invaluable for identifying legitimate email sources and detecting potential spoofing attempts. This is often the starting point for DMARC implementation.
P=quarantine: With this policy, emails failing DMARC authentication are marked as suspicious. Receiving mail servers are instructed to place these emails into the recipient's spam or junk folder, or otherwise treat them with suspicion. This provides a stronger level of protection than p=none while still allowing you to monitor the impact before moving to full rejection.
P=reject: This is the strongest DMARC policy. Emails that fail DMARC authentication are rejected outright by receiving mail servers and are not delivered to the recipient at all. This policy offers the highest level of protection against email spoofing and phishing for your domain.
The choice of policy directly impacts how your domain's emails are trusted by other mail servers and how effectively you can prevent unauthorized use of your brand. You can learn more about the various DMARC tags and their functions in our list of DMARC tags.
The implied non-enforcement
While there is no true default value for the p tag if it's completely absent from a DMARC record, the practical outcome is similar to p=none. However, the distinction is crucial for technical accuracy. If a DMARC record does not include the p tag, the record is considered malformed or invalid by compliant mail receivers, meaning no DMARC policy will be enforced.
For example, Microsoft Learn documents and Google's DMARC setup instructions consistently show DMARC records with the p tag explicitly defined. This underscores the necessity of its inclusion. If a DMARC record looks like this, it is not correctly configured for enforcement:
Invalid DMARC Record (Missing 'p' tag)DNS
v=DMARC1; rua=mailto:reports@yourdomain.com;
Even without explicit enforcement, DMARC's reporting capabilities remain active. If your DMARC record is valid, even with p=none, you will still receive aggregate reports that provide valuable insights into your email ecosystem. These reports detail which mail streams are passing or failing DMARC authentication, which is essential for safely moving to a more restrictive policy like p=quarantine or p=reject. Understanding the implications of using p=none is key for a successful DMARC deployment.
Why explicit declaration is vital
Always explicitly declare your DMARC policy using the p tag, even if you intend to start with p=none. An explicitly defined policy ensures that mail receivers correctly interpret your DMARC record and apply the desired actions. Omitting it can lead to your DMARC record being ignored, which undermines your email security efforts.
Best practice for DMARC policies
Even when starting with p=none, it's crucial to explicitly include this tag in your DMARC record. This ensures that your DMARC policy is recognized as valid and that you receive valuable DMARC reports, which are essential for monitoring and refining your email authentication. Think of p=none as your observation mode for DMARC adoption, allowing you to gather data before implementing stricter enforcement like p=quarantine or p=reject.
Moving from p=none to p=quarantine or p=reject should be a gradual process, guided by the data from your DMARC reports. This data helps you identify legitimate sending sources that might be failing DMARC and correct them before moving to a stronger policy. This staged approach is a widely recommended best practice to avoid legitimate emails being blocked or marked as spam.
P=none: Observation mode
No direct action: Emails failing DMARC are still delivered to the inbox.
Reporting: You receive aggregate reports, providing visibility into your email ecosystem.
Risk: No protection against spoofing or phishing while at this policy level.
P=quarantine/reject: Enforcement modes
Action: Emails failing DMARC are moved to spam or rejected entirely.
Reporting: Reports continue to provide data, highlighting the impact of your policy.
Protection: Significant reduction in email spoofing and phishing attempts for your domain.
Regardless of the p tag value, effective DMARC implementation hinges on continuous monitoring. DMARC reports provide essential visibility into your email traffic, showing which emails pass authentication, which fail, and from where they originate. This data is critical for refining your DMARC record, identifying legitimate sending services, and detecting unauthorized senders.
A robust DMARC monitoring solution transforms raw DMARC reports into actionable insights. Suped offers a leading DMARC reporting and monitoring platform designed to simplify this complex process. Our AI-Powered Recommendations don’t just show you data, we tell you exactly what actions to take to fix issues and strengthen your policy. This means you get clear, actionable advice on how to improve your email deliverability and security.
Suped provides real-time alerts, a Unified Platform for DMARC, SPF, and DKIM monitoring, SPF Flattening, and an MSP and Multi-Tenancy Dashboard. With a focus on actionable insights and a feature-rich free plan, Suped makes DMARC accessible and effective for all users, from SMBs to large enterprises and MSPs alike.
Always declare your DMARC policy
The DMARC p tag is fundamental to implementing effective email authentication and preventing spoofing. While there isn't a default value if the tag is omitted, mail servers will treat a record without it as invalid, resulting in no DMARC enforcement.
To ensure your DMARC policy is correctly applied and to gain the benefits of DMARC reporting and enforcement, always explicitly define the p tag, starting with p=none and gradually escalating to p=quarantine or p=reject as your data allows. This proactive approach strengthens your domain's security posture and improves overall email deliverability.
