DMARC Policy: None vs Quarantine vs Reject
DMARC policies define how receivers should treat emails that fail authentication and alignment. Domains usually begin with p=none for monitoring, then move to stricter enforcement once they have identified all legitimate senders and confirmed that SPF or DKIM aligns correctly.
One-Minute Fix
Start with p=none while you monitor real traffic, then move to quarantine and finally reject only after legitimate senders are fully aligned.
v=DMARC1; p=none; rua=mailto:dmarc@example.comThe safest rollout pattern is none first, then quarantine, then reject. Tightening too early can break legitimate mail.
Re-checkWrong vs correct setup
Wrong setup
v=DMARC1; p=reject; rua=mailto:dmarc@example.comThis can be too aggressive if you have not yet confirmed that every legitimate sender passes SPF or DKIM alignment. Real mail can be rejected before you finish the rollout.
Correct setup
v=DMARC1; p=none; rua=mailto:dmarc@example.comThis is the correct starting point for most domains. It gives you visibility into failures without blocking real mail, so you can move to stricter enforcement gradually.
Why policy levels exist
DMARC enforcement is designed to roll out gradually. Many domains have legacy tools, third-party senders, or subdomains that authenticate differently. Monitoring first helps you identify real traffic before quarantine or reject starts affecting delivery.
Policy comparison
- p=none monitors authentication failures but does not block mail.
- p=quarantine tells receivers to treat failing mail as suspicious, often routing it to spam.
- p=reject tells receivers not to accept failing mail at all.
- Moving to stricter policies too early can disrupt legitimate email.
How this affects deliverability
Receivers trust domains more when DMARC enforcement is deliberate and stable. A careful rollout improves security without accidentally breaking transactional, marketing, or support mail.
Common causes
- Teams copied a strict p=reject template without auditing mail flow.
- A domain stayed on p=none for too long and never moved forward.
- Legitimate senders were never fully aligned before enforcement increased.
- DMARC reporting was ignored during rollout.
What we checked
We reviewed the current p= value in the DMARC record and whether the chosen policy level matches the maturity of the domain's authentication setup.
Live DNS lookup. No login. No saved domains. No tracking.
FAQ
Is p=reject always best?
Only when you are confident that legitimate mail is fully covered by aligned SPF or DKIM. Reject is powerful, but it can block real mail if deployed too early.
What does p=quarantine usually do?
It tells receivers to treat failing messages as suspicious. In practice, that often means spam-folder placement rather than full rejection.
How long should I stay on p=none?
Long enough to understand real traffic and confirm legitimate senders, but not forever. Once reports are clean, move gradually toward enforcement.
Next steps
- Confirm that all legitimate senders pass aligned SPF or DKIM.
- Start or remain on p=none while reviewing reports.
- Move to p=quarantine once you understand the real mail flow.
- Move to p=reject only after legitimate failures are resolved.
- Re-check policy behavior after each enforcement change.
- Review the full troubleshooting guidance in the DMARC Hub.
- Explore sender authorization issues in the SPF Hub.
- Check signing and selector issues in the DKIM Hub.