I'm writing to suggest an improvement to Proton Mail's handling of DMARC policies. Currently, when an incoming email fails DMARC validation for a domain with a p=reject policy, Proton Mail always delivers it to the Spam folder instead of rejecting it at the SMTP level.

While I understand this "soft" approach prevents legit mail loss due to misconfiguration (as permitted by RFC 7489 Section 6), it also diminishes the security value of a "Reject" policy for domain owners who want to strictly prevent spoofing.

Proposed Phased Implementation:

Phase 1 (Internal Custom Domains): Exclusively allow Proton Mail Custom Domain From Addresses to apply their DMARC Reject Policy (if applicable). Since these users manage their own DNS records, they expect higher security standards. By rejecting failed emails at the gateway, you can provide them with the precise protection they've configured.

Benefit: This minimizes the impact on general "mailing list" senders while significantly boosting security for Proton's paid users.

Phase 2 (Advanced): Provide a toggle in one of the settings page allowing the paid users (or all users) to opt-in to "Strict DMARC Reject Policy Enforcement."

Why this matters: True DMARC rejection prevents sensitive "Business Email Compromise" (BEC) attacks from ever reaching the user's mailbox. Forcing these into the Spam folder still leaves the user vulnerable to social engineering if they check their Junk mail.

As a privacy and security-focused service, Proton Mail should be the ideal platform to lead the way in honoring domain owners' explicit security intents.