DMARC Policy: p=none vs quarantine vs reject
Your DMARC policy tells the world what to do with mail that fails authentication, and choosing the wrong one either leaves you exposed or quietly drops your legitimate email.
- The DMARC p= tag tells receivers what to do with mail that fails authentication: nothing, quarantine, or reject.
- Start at p=none to collect reports, then move to quarantine and finally reject as you confirm legitimate sources pass.
- Reject is the strongest protection and increasingly expected by major mailbox providers, but only safe after monitoring.
- Jumping straight to reject without monitoring can silently kill your own legitimate email.
DMARC is the layer that ties SPF and DKIM together and tells the receiving mail server what to do when a message claiming to be from your domain fails those checks. The single most important decision in a DMARC record is the policy tag, p=, and most domains either get it wrong or never advance past the safest, weakest setting.
This post explains the three policy values, shows real record examples, and lays out the safe path from monitoring to full enforcement. If you have not set up the underlying authentication yet, start with our SPF, DKIM, and DMARC setup guide first.
What the policy tag actually controls
A DMARC record is a TXT record at _dmarc.yourdomain.com. The p= tag is the instruction to receivers. It only applies to mail that fails DMARC, meaning it failed SPF and DKIM alignment. Mail that passes is unaffected by your policy.
Host: _dmarc.example.com
Type: TXT
Value: v=DMARC1; p=none; rua=mailto:dmarc-reports@example.comThe three legal values for p= are none, quarantine, and reject. Each tells receivers to do something more aggressive with failing mail than the last.
The three policies, compared
| Policy | What receivers do with failing mail | Protection level | Risk to your mail |
|---|---|---|---|
| p=none | Deliver normally, just report it | None (monitoring only) | None |
| p=quarantine | Deliver to spam or junk | Moderate | Some, if a real source fails |
| p=reject | Block the message outright | Strong | High, if a real source fails |
Notice that p=none provides zero protection against spoofing. It is purely a monitoring mode. Many domains set it once and never move on, believing they are protected. They are not; they are only watching.
Leaving your domain at p=none indefinitely means anyone can spoof your domain and receivers will still deliver it. It is the starting line, not the finish. The whole point of DMARC is to eventually enforce.
p=none: collect the data first
Always start here. With p=none, receivers deliver mail as normal but send you aggregate reports (the rua address) listing every source sending mail as your domain and whether it passed SPF and DKIM. This is how you discover the legitimate services you forgot about: your CRM, your invoicing tool, your help desk, your marketing platform.
Run p=none until your reports show that every legitimate sender is authenticating correctly. Rushing past this step is how teams accidentally block their own mail.
p=quarantine: the cautious middle
Once your reports look clean, advance to quarantine. Failing mail now lands in the spam folder rather than the inbox. This protects most recipients from spoofed messages while giving you a softer failure mode than outright blocking.
You can ease in with the pct tag, applying the policy to only a percentage of failing mail while you watch for surprises.
v=DMARC1; p=quarantine; pct=25; rua=mailto:dmarc-reports@example.comStart at pct=25, confirm nothing legitimate is getting quarantined, then raise it toward 100 over a week or two.
p=reject: full enforcement
Reject is the goal. Failing mail is blocked before it reaches the recipient at all, which is the strongest defense against domain spoofing and phishing. Major mailbox providers increasingly expect bulk senders to reach enforcement, so reject is no longer just best practice, it is becoming table stakes.
v=DMARC1; p=reject; rua=mailto:dmarc-reports@example.com; aspf=s; adkim=sOnly move to reject after quarantine has run cleanly. At this point, the aspf and adkim tags above tighten alignment to strict mode, closing the last gaps spoofers might exploit. Do not set strict alignment until you have confirmed your legitimate mail aligns, because strict alignment is less forgiving of subdomain and envelope mismatches.
Reaching p=reject is not the end. Keep monitoring your rua reports, because new sending services get added over time and a forgotten one can start failing and getting blocked without warning. DMARC is a standing practice, not a one-time configuration.
The safe rollout path
- Confirm SPF and DKIM are correctly configured for every legitimate sender.
- Publish p=none with a rua reporting address and collect reports for two to four weeks.
- Fix any legitimate source that is failing authentication.
- Move to p=quarantine, starting at pct=25 and ramping to 100.
- Confirm clean reports, then move to p=reject.
- Tighten alignment with aspf=s and adkim=s once you have verified your mail still passes.
- Keep reading reports indefinitely as your sending stack changes.
The bottom line
Your DMARC policy is the difference between watching spoofers and stopping them. p=none monitors, p=quarantine sidelines failing mail, and p=reject blocks it. The safe path is sequential: monitor first, enforce gradually, and never jump to reject before your reports prove your legitimate mail will survive.
Done right, reaching p=reject protects your brand from impersonation and signals to mailbox providers that you take authentication seriously, which helps your legitimate cold and transactional mail reach the inbox.
Frequently asked questions
Can I just set p=reject immediately to be safe?
No. Jumping straight to reject without monitoring at p=none first risks silently blocking your own legitimate mail from services you forgot authenticate as your domain, such as your CRM or invoicing tool. Always monitor, fix failing sources, then enforce gradually through quarantine to reject.
Does staying at p=none protect me from spoofing?
No. p=none is monitoring only; receivers still deliver failing mail normally, so anyone can spoof your domain. It exists to collect reports so you can fix authentication before enforcing. The protection only kicks in at quarantine and especially reject.
What is the pct tag for?
The pct tag applies your policy to only a percentage of failing mail, letting you ramp enforcement gradually. Setting p=quarantine; pct=25 quarantines a quarter of failing messages so you can watch for surprises before raising it to 100 and eventually moving to reject.
Stop losing pipeline to the spam folder.
GTM100x runs the deliverability, warmup, and targeting work in the background — so your team spends its time on the conversations that close.
Keep reading
SPF, DKIM & DMARC: The Complete Email Authentication Setup Guide
The three records that decide whether your cold email lands in the inbox or the spam folder — explained without the jargon, with copy-paste setup steps.
Cold Email & DeliverabilityWhy Your Cold Emails Go to Spam (and How to Fix It)
Eight reasons good cold emails end up in spam — and the specific fix for each. Most have nothing to do with your copy.