Policy
DMARC instruction for handling authentication failures: none, quarantine, or reject.
p=none monitors without action. p=quarantine sends failures to spam. p=reject blocks failures entirely. Start with none, progress through quarantine, end at reject. Subdomain policy (sp=) can differ from main domain policy.
Examplep=reject (block failures), p=quarantine (spam folder), p=none (monitor only)
Alignment
DMARC requirement that the From header domain matches the authenticated domain.
Strict alignment requires exact domain match. Relaxed alignment allows subdomains (mail.example.com passes for example.com). adkim= sets DKIM alignment mode, aspf= sets SPF alignment mode. Default is relaxed (r).
Exampleadkim=s (strict), aspf=r (relaxed)
Subdomain Policy (sp)
DMARC policy specifically for subdomains, separate from the main domain policy.
The sp= tag defines policy for subdomains. If not specified, subdomains inherit the main policy (p=). Setting sp=reject while main is p=quarantine enforces stricter rules on subdomains. Useful when subdomains shouldn't send email.
Examplesp=reject (block subdomain failures), sp=none (monitor subdomains)
Percentage (pct)
DMARC tag specifying what percentage of failing mail the policy applies to.
pct=100 (default) applies policy to all failures. pct=10 applies to only 10% of failures, useful during rollout. Gradually increase from pct=10 to pct=100 when moving to stricter policies. This reduces risk during enforcement.
Examplepct=25 (apply policy to 25% of failures)