DMARC Policy Guide: None vs Quarantine vs Reject

DMARC is the policy layer that sits on top of SPF and DKIM. It tells the world's mail receivers two things: what to do when a message fails authentication, and where to send reports. The "what to do" part is the policy — and choosing the right one matters more than people realize.

The three policies, summarized

Policy	What it does	When to use it
p=none	No enforcement. Reports only.	First 4–8 weeks, while discovering legit senders.
p=quarantine	Failing mail → spam folder.	Middle stage. Catching the worst spoofs while limiting risk.
p=reject	Failing mail → rejected at SMTP.	Final stage. Strongest protection. Once aligned.

Why you can't start with reject

It's tempting to skip straight to p=reject for maximum protection. Don't. The reason is alignment.

DMARC doesn't just check that SPF or DKIM passed — it checks that they aligned with the From: domain your users see. A lot of legitimate senders pass SPF/DKIM but fail alignment because:

• Marketing tools send from <random>.com in the envelope but use your From: address.
• Forwarders rewrite envelope headers but keep the original From:.
• Mailing lists strip DKIM signatures.

If you go straight to reject, you'll silently lose mail. The reports tell you who's failing — and you fix those senders before tightening the policy.

The rollout plan we recommend

Week 0: Publish p=none with reports

v=DMARC1; p=none; rua=mailto:reports@yourdomain.com; pct=100;

This collects aggregate reports without changing how mail is treated. Use a DMARC report parser (Postmark, Valimail, dmarcian — or build your own) to digest the XML.

Weeks 1–4: Identify all your legitimate senders

Reports come in daily. For each sender that's failing, decide: legitimate but misaligned? Add proper SPF includes or DKIM signing. Unauthorized? Investigate and shut down.

Week 4–6: Move to p=quarantine

Start with pct=10 to enforce on 10% of mail. Watch reports for sudden spikes in fails. If clean, ramp to pct=50, then pct=100.

Week 6–8: Move to p=reject

Same ramp pattern: pct=10 → pct=50 → pct=100. By the time you hit 100%, you've validated every legitimate sender.

Common pitfalls

Forgetting subdomains

If you don't set sp= (subdomain policy), DMARC applies your top-level policy to subdomains too — even ones that aren't aligned. Use sp=reject to lock down unused subdomains.

Reporting destination overwhelmed

DMARC reports can be voluminous (thousands per day for active domains). Make sure your rua= address can handle the volume, or use a dedicated report parser.

Missing fo= for forensic reports

If you want per-failure detail (very few receivers send these anymore), set fo=1 with a ruf= address. Useful for active incident response.

How to verify your setup

Use our DMARC Checker to inspect any domain's record. We surface the policy, coverage, and report destinations — plus plain-English warnings about misconfigurations.

Related reads:

• SPF Explained: How Sender Policy Framework Actually Works
• The Complete Guide to Email Deliverability in 2026