DMARC Policy Explained: None vs Quarantine vs Reject

DMARC Policy None Quarantine Reject

Your DMARC policy tells receiving email servers what to do when messages fail authentication. Understanding the difference between p=none, p=quarantine, and p=reject is crucial for implementing DMARC correctly.

This guide explains each policy level, when to use them, and how to safely progress to full enforcement.

The Three DMARC Policies

p=none (Monitor Only)

What it does: Emails are delivered normally regardless of authentication results.

Why use it:

  • Starting point for all DMARC implementations
  • Collects data without risking legitimate email
  • Reveals all sources sending as your domain
  • Identifies authentication issues before enforcement

Example record:

v=DMARC1; p=none; rua=mailto:dmarc@yourdomain.com

p=quarantine

What it does: Failing emails are sent to spam/junk folder instead of inbox.

Why use it:

  • Provides protection while allowing recovery of false positives
  • Recipients can still find legitimate emails in spam
  • Good intermediate step before reject
  • Satisfies many compliance requirements

Example record:

v=DMARC1; p=quarantine; rua=mailto:dmarc@yourdomain.com

p=reject

What it does: Failing emails are blocked entirely—not delivered at all.

Why use it:

  • Maximum protection against domain spoofing
  • Completely prevents unauthorized emails from reaching recipients
  • Ultimate goal for most organizations
  • Required by some security frameworks

Example record:

v=DMARC1; p=reject; rua=mailto:dmarc@yourdomain.com

Policy Comparison

Aspect p=none p=quarantine p=reject
Email delivery Normal To spam folder Blocked
Protection level None Medium Maximum
Risk of blocking legitimate email None Low (recoverable) High if misconfigured
Best for Starting out After monitoring Full enforcement
Reports generated Yes Yes Yes

The Percentage Tag (pct=)

The pct tag lets you apply policy to only a percentage of failing emails:

v=DMARC1; p=quarantine; pct=10; rua=mailto:dmarc@yourdomain.com

This applies quarantine to only 10% of failing emails—the other 90% are delivered normally (as if p=none).

Why Use pct

  • Gradual rollout reduces risk
  • Test enforcement on small percentage first
  • Catch problems before they affect all email

Recommended Progression

  1. pct=10 – Test with 10%
  2. pct=25 – Increase if no issues
  3. pct=50 – Half of failing emails
  4. pct=100 – Full enforcement (or remove pct, as 100 is default)

The Subdomain Policy (sp=)

The sp tag sets policy for subdomains (mail.domain.com, app.domain.com, etc.):

v=DMARC1; p=quarantine; sp=reject; rua=mailto:dmarc@yourdomain.com

Why Subdomain Policy Matters

  • Attackers often target subdomains that don't send email
  • You may want stricter policy on unused subdomains
  • Without sp=, subdomains inherit the main domain policy

Common Strategy

Use sp=reject for subdomains that don't send email, even if your main domain is at p=quarantine.

Safe Policy Progression

Phase 1: Monitor (2-4 weeks minimum)

v=DMARC1; p=none; rua=mailto:dmarc@yourdomain.com

  • Collect aggregate reports
  • Identify all legitimate sending sources
  • Fix SPF and DKIM issues
  • Ensure all services pass authentication

Phase 2: Gradual Quarantine (2-4 weeks)

Start: v=DMARC1; p=quarantine; pct=10; rua=mailto:dmarc@yourdomain.com

  • Monitor for delivery complaints
  • Check reports for unexpected failures
  • Gradually increase pct (10 → 25 → 50 → 100)

Phase 3: Full Quarantine (1-2 weeks)

v=DMARC1; p=quarantine; rua=mailto:dmarc@yourdomain.com

  • All failing emails go to spam
  • Verify no legitimate email is affected
  • Monitor reports and complaints

Phase 4: Reject (Final)

v=DMARC1; p=reject; sp=reject; rua=mailto:dmarc@yourdomain.com

  • Maximum protection achieved
  • Continue monitoring reports
  • Update when adding new email services

What If Legitimate Email Gets Blocked?

At p=quarantine

  • Emails go to spam—users can still find them
  • Ask users to check spam folder
  • Identify the failing service from DMARC reports
  • Fix authentication before proceeding to reject

At p=reject

  • Emails are blocked—no recovery
  • Users won't receive them at all
  • You may not know immediately
  • This is why gradual progression is critical

Recovery Steps

  1. Temporarily lower policy (p=quarantine or p=none)
  2. Identify the failing service from reports
  3. Fix SPF/DKIM/alignment for that service
  4. Verify fixes in reports
  5. Re-increase enforcement

Common Scenarios

Just Starting Out

Use p=none with reporting. Never start with quarantine or reject.

Meeting Google/Yahoo Requirements

p=none satisfies the current minimum requirement, but stricter policies may be required in the future.

Security-Focused Organization

Progress to p=reject for maximum protection. Consider strict alignment (adkim=s; aspf=s).

Multiple Subdomains

Use sp=reject for subdomains that don't send email:

v=DMARC1; p=quarantine; sp=reject; rua=mailto:dmarc@yourdomain.com

Policy and Email Deliverability

Having a DMARC policy (even p=none) signals to receiving servers that you care about email authentication. Stronger policies can improve deliverability for legitimate email:

  • p=none: Shows you're monitoring
  • p=quarantine: Shows you're actively protecting
  • p=reject: Shows maximum commitment to authenticity

Summary

  • p=none: Start here. Monitor and collect data.
  • p=quarantine: Second step. Failed emails go to spam.
  • p=reject: Final goal. Failed emails are blocked.
  • pct=: Gradual rollout of policy.
  • sp=: Separate policy for subdomains.

Progress slowly, monitor reports, and fix issues before increasing enforcement. The goal is protection without blocking legitimate email.

For implementation details, see our DMARC setup guide and complete authentication guide.

Related Resources

0 comments

Leave a comment

Please note, comments need to be approved before they are published.