Setting a DMARC Policy Ingrid When setting a DMARC policy for a domain, we recommend the following: Start from no enforcement or limited enforcement and then gradually going into full enforcement. Though no enforcement and limited enforcement allow for the delivery of spoofed emails and does not result in a GOOD finding grade, they can still ensure that the defined policy is not preventing legitimate emails from being delivered. Learn how DMARC findings are graded. Use the rua and ruf DMARC tags for reporting during initial stages to allow for verifying the effectiveness of the policy. However, reporting is not mandatory for an effective policy and for a GOOD finding grade. Please note that going from no enforcement to a limited or full enforcement policy may interrupt existing email delivery.No EnforcementTo avoid inadvertently blocking legitimate email in the initial rollout, use a passthrough policy (p=none) and configure reporting (rua=mailto:example@company.com). This allows for the monitoring of authentication statistics without actually acting upon authentication failures.GradingSince no enforcement is ineffective and does not protect against spoofing, it is graded BAD.Examplev=DMARC1; p=none; rua=mailto:example@company.comLimited EnforcementUse an active DMARC policy (p=quarantine or p=reject) and have it act on only a subset of illegitimate emails from the domain (pct=10).GradingWhile not discarded, such emails are forwarded to a spam or junk folder or are otherwise marked to indicate the authentication failure to the recipient. However, some confirmed fraudulent emails can end up being delivered since the pct tag specifies a value less than 100. The best grade when using a non-maximum pct value is FAIR. The best grade when using pct≤50 is WARN. ExampleThe following record tells mail servers to apply the quarantine policy to 10% of all emails that fail DMARC.v=DMARC1; p=quarantine; pct=10; rua=mailto:example@company.comFull EnforcementWhile reporting is essential for the passthrough policy (p=none), it is optional for active policies.GradingFor DMARC records to be graded GOOD: An active policy must be used (p=reject or p=quarantine) and the policy must act on all authentication failures (pct=100). Any existing third-party reporting domains must be associated with a valid authorization record. ExamplesIn the following record examples, the no reporting and self-reporting records are graded as GOOD. The third-party reporting record is graded GOOD as long as thirdparty.com authorizes company.com by way of an authorization record and is set to v=DMARC1;.no reporting:v=DMARC1; p=quarantineself-reporting:v=DMARC1; p=reject; rua=mailto:example@company.comthird-party reporting:v=DMARC1; p=reject; rua=mailto:example@thirdparty.com February 3, 2026: Noted that upgrading policy enforcement might interrupt existing email delivery. January 20, 2026: DMARC Risk Vector is recategorized from a temporarily non-graded risk vector to informational and does not affect Bitsight Security Ratings. Related articles TLS/SSL Finding Remediation & Remediation Verification What is a Finding Lifetime? Certificate Authorities What is a Finding Rescan? Attack Surface: Cloud Infrastructure Sync Feedback 0 comments Please sign in to leave a comment.