DMARC Policies: None, Quarantine, Reject

DMARC gives you three policies that control what happens to emails that fail authentication. Choosing the right policy — and knowing when to upgrade — is the key to protecting your domain without breaking legitimate email.

👁️
p=none
Monitor & collect reports
Start here
📁
p=quarantine
Send failures to spam
After review
🛡️
p=reject
Block failing emails
Full protection

p=none — Monitor Mode

What happens: Emails that fail DMARC are delivered normally. But you receive daily reports showing all authentication results.

When to use:

  • You’re deploying DMARC for the first time
  • You’re not sure which services send email as your domain
  • You need to audit your email sources before enforcing

How long to stay here: 2-4 weeks minimum. Long enough to see a full reporting cycle and identify all legitimate senders.

v=DMARC1; p=none; rua=mailto:reports@dmarccloud.com

p=quarantine — Spam Mode

What happens: Emails that fail DMARC are sent to the recipient’s spam/junk folder instead of their inbox.

When to use:

  • Your reports show all legitimate senders are passing DMARC
  • You’ve fixed SPF and DKIM for all your email services
  • You want protection but with a safety net (emails aren’t lost, just in spam)

Pro tip — use pct= for gradual rollout:

v=DMARC1; p=quarantine; pct=10; rua=mailto:reports@dmarccloud.com

Start at 10%, monitor for a week, then increase to 25%, 50%, 100%.

p=reject — Full Protection

What happens: Emails that fail DMARC are blocked entirely. The recipient never sees them — not even in spam.

When to use:

  • You’ve been on quarantine with 100% and no legitimate email is being affected
  • You want maximum protection against spoofing
  • You’re required to for compliance (Google/Yahoo sender requirements, PCI DSS 4.0)
⚠️ Warning: With p=reject, emails from misconfigured legitimate senders will be silently dropped. The sender won’t know their email wasn’t delivered. Make absolutely sure all your senders are authenticated before enabling reject.
v=DMARC1; p=reject; sp=reject; rua=mailto:reports@dmarccloud.com

The Enforcement Journey

Phase Record Duration Action
1. Monitor p=none 2-4 weeks Review reports, identify all senders
2. Fix p=none 1-2 weeks Add SPF/DKIM for all legitimate senders
3. Soft enforce p=quarantine; pct=10 1 week Test with small percentage
4. Increase p=quarantine; pct=50 1 week Expand, check for issues
5. Full quarantine p=quarantine 2 weeks Confirm 100% works
6. Reject p=reject Ongoing Maximum protection ✓

Subdomain Policy (sp=)

Don’t forget about subdomains! Attackers often spoof subdomains like billing.yourdomain.com or support.yourdomain.com even if the main domain is protected.

If you don’t set sp=, subdomains inherit the main p= policy. You can also set them independently — for example:

v=DMARC1; p=reject; sp=none; rua=mailto:reports@dmarccloud.com

Main domain fully protected, subdomains in monitoring mode (useful during migration).

Start your enforcement journey

Generate a DMARC record with monitoring enabled. Free, takes 2 minutes.

Generate DMARC Record →

Related

DMARC Record Explained →
Every tag and value


How to Implement DMARC →
Step-by-step guide


Common DMARC Mistakes →
Avoid these pitfalls