The DMARC policy is none. Meaning if both SPF and DKIM fail then nothing should be done about the email. Now, many email security gateways and spam filters will just have rules automatically blocking anything that fails SPF regardless but you want to eventually get to `p=reject`.
Start with something like `p=quarantine; pct=25` to have 25% of reported DMARC policy failures be marked for quarantine, review the reports after a week and then ramp it up to 50%, 75%, 100% every few days. Then if your domain is not having a significant percentage marked for quarantine in your DMARC reports after a week or two, switch to `p=reject; pct=100%` and continue to monitor the reports to make sure everything is good.
DMARC is not bulletproof to people using your domain as spam though because even with a reject policy, if SPF fails but DKIM passes, DMARC will pass or vice versa. It helps curb abuse and takes 15 minutes of effort to set up once but still is not enough to kill spam.
Start with something like `p=quarantine; pct=25` to have 25% of reported DMARC policy failures be marked for quarantine, review the reports after a week and then ramp it up to 50%, 75%, 100% every few days. Then if your domain is not having a significant percentage marked for quarantine in your DMARC reports after a week or two, switch to `p=reject; pct=100%` and continue to monitor the reports to make sure everything is good.
DMARC is not bulletproof to people using your domain as spam though because even with a reject policy, if SPF fails but DKIM passes, DMARC will pass or vice versa. It helps curb abuse and takes 15 minutes of effort to set up once but still is not enough to kill spam.