ScanMyDomain
← Back to blog

DMARC Policy: None vs Quarantine vs Reject Explained

DMARC (Domain-based Message Authentication, Reporting & Conformance) is the final piece of email authentication. While SPF and DKIM verify that emails are legitimate, DMARC tells receiving servers what to do when those checks fail.

The key setting is the p= tag in your DMARC record, which has three possible values: none, quarantine, and reject. Choosing the right one matters — set it too aggressively too early and you'll block your own emails. Leave it too loose and you're not actually protecting anything.

The three DMARC policies

p=none (Monitor only)

v=DMARC1; p=none; rua=mailto:dmarc@yourdomain.com

With p=none, you're telling receiving servers: "I'm publishing a DMARC record, but don't take any action on failing emails. Just send me reports."

When to use it:

  • You're just starting with DMARC
  • You need to discover all legitimate email sources before enforcing
  • You want to collect DMARC aggregate reports (rua) to understand your email ecosystem

The risk: It doesn't actually protect your domain. Anyone can still spoof emails from your domain and they'll be delivered normally. It's purely observational.

p=quarantine (Flag suspicious emails)

v=DMARC1; p=quarantine; rua=mailto:dmarc@yourdomain.com

With p=quarantine, emails that fail SPF and DKIM alignment are sent to the recipient's spam or junk folder instead of the inbox.

When to use it:

  • You've been on p=none long enough to identify all legitimate senders
  • You've configured SPF and DKIM for all your email sources
  • You want to start enforcing without the risk of hard rejections

The risk: Misconfigured legitimate senders will have their emails land in spam. This is better than reject because the emails still exist — the recipient can find them if needed.

p=reject (Block spoofed emails)

v=DMARC1; p=reject; rua=mailto:dmarc@yourdomain.com

With p=reject, emails that fail authentication are silently dropped. The recipient never sees them.

When to use it:

  • All your legitimate email sources pass SPF and DKIM
  • You've been on quarantine with no issues
  • You want maximum protection against spoofing and phishing

The risk: If a legitimate email source isn't properly configured, those emails will be permanently lost — not just sent to spam, but rejected entirely. There's no recovery.

The DMARC deployment path

The recommended approach is a phased rollout:

Phase 1: Monitor (2-4 weeks)

  1. Publish a DMARC record with p=none and a rua reporting address
  2. Collect aggregate reports for 2-4 weeks
  3. Identify every service sending email as your domain
  4. Fix SPF and DKIM for each one

Phase 2: Quarantine with percentage (2-4 weeks)

  1. Move to p=quarantine; pct=10 — only quarantine 10% of failing emails
  2. Monitor for false positives (legitimate emails hitting spam)
  3. Gradually increase: pct=25, then pct=50, then pct=100

Phase 3: Reject (ongoing)

  1. Once quarantine at 100% shows no issues, move to p=reject
  2. Start with pct=10 again for safety
  3. Ramp up to full reject
  4. Continue monitoring reports — new email services get added over time

Important DMARC tags beyond p=

rua (Aggregate reports)

rua=mailto:dmarc@yourdomain.com

Tells receiving servers where to send daily aggregate reports. These XML reports show which IPs sent email as your domain and whether they passed or failed authentication. Without rua, you're flying blind.

sp (Subdomain policy)

sp=reject

Sets a separate policy for subdomains. Useful if your main domain needs quarantine but you want to reject on subdomains you don't use for email.

pct (Percentage)

pct=25

Apply the policy to only a percentage of failing messages. The rest fall back to the next lower policy. This is your safety net during rollout.

adkim and aspf (Alignment mode)

adkim=s; aspf=s

Sets strict (s) or relaxed (r) alignment. Strict requires an exact domain match; relaxed allows subdomains to align. Start with relaxed (the default), move to strict once you're confident.

Common mistakes

Publishing p=none and forgetting about it. Many domains have had p=none for years. It provides zero protection. Set a calendar reminder to move to quarantine after reviewing your reports.

Going straight to p=reject without monitoring. You will almost certainly block legitimate emails from a forgotten SaaS tool, forwarding service, or marketing platform.

Missing the rua tag. Without aggregate reports, you have no visibility into what's passing or failing. Always include a reporting address.

Not configuring subdomain policy. If you set p=reject on your root domain but don't set sp=, subdomains default to the main policy. If you have subdomains that send email, make sure they're configured too.

Check your DMARC setup

Run a free PulseCheck scan to instantly see your current DMARC policy, whether reporting is configured, and what your SPF and DKIM status looks like. Takes 5 seconds, no signup required.

Want to check your domain?

Run a free ScanMyDomain scan in 5 seconds. No signup required.

Scan your domain free