DMARC p=none vs quarantine vs reject: which policy should you use?

The p= tag in your DMARC record tells every mailbox provider in the world what to do with a message that claims to be from your domain but fails authentication. none means "just report it to me," quarantine means "spam-folder it," reject means "refuse it outright." Getting from none to reject safely is the whole game of DMARC deployment.

Updated July 13, 2026

p=none — monitoring mode

Nothing changes about delivery: spoofed mail still lands, failing mail still arrives. What you gain is visibility — receivers start sending you aggregate reports listing every server sending as your domain and whether it authenticated. p=none is the correct starting point, because you almost certainly have legitimate senders you've forgotten about, and an enforcing policy would silently break them.

The failure mode of p=none is staying there forever. It provides zero protection — it's a flight recorder, not a lock. Plan to be at enforcement within a few months, not years.

p=quarantine — the spam-folder policy

Failing mail goes to spam instead of the inbox. Real users rarely check spam, so this blocks most practical phishing — while leaving a recovery path if you misconfigured a legitimate sender. You can ramp gradually with pct=: p=quarantine; pct=25 applies the policy to a quarter of failing mail while you watch the reports.

p=reject — full enforcement

Failing mail is refused during delivery — the spoofed message never reaches the user in any folder, and the sender gets a bounce. This is the end state, the policy PCI DSS 4.0 auditors look for, and the only p= value that fully takes your domain off the table for spoofing.

How to move up without breaking real mail

  1. Publish p=none with a rua= reporting address (our DMARC generator builds the record).
  2. Collect 2–4 weeks of reports. Identify every legitimate source and fix its SPF or DKIM alignment.
  3. When aligned volume approaches 100% of legitimate mail, move to p=quarantine — with pct= if you want a gradual ramp.
  4. After 2–4 quiet weeks at quarantine, move to p=reject.

The judgment call in step 3 — "is everything legitimate actually aligned?" — is exactly what HealthCheck Email's enforcement-readiness simulator computes from your real report data, so you move up when the numbers say it's safe rather than when you feel brave.

Common questions

Is p=none better than no DMARC record at all?+

Meaningfully, yes. It gets you reporting (visibility you can't get any other way), it satisfies the Gmail/Yahoo bulk-sender requirement for having a DMARC record, and it's the mandatory first step to enforcement. But it blocks nothing by itself.

What does the pct= tag do?+

It applies your policy to a percentage of failing mail and treats the rest one level softer. p=quarantine; pct=25 quarantines a quarter of failures. One quirk: pct with p=reject downgrades the remainder to quarantine, not to none.

How long does the whole none → reject journey take?+

For a domain with a handful of senders, 4–8 weeks is typical: a couple of weeks observing, a couple of weeks fixing alignment, then stepped enforcement. Large organizations with many mail streams take longer — but the clock only starts when p=none goes up.

Will p=reject break mailing lists and forwarding?+

Mostly no, if DKIM is set up: DKIM signatures usually survive forwarding, and one aligned pass is all DMARC needs. Some mailing lists that rewrite messages do break DMARC — modern lists handle this by rewriting the From header for exactly this reason.