DMARC None vs Quarantine vs Reject: How to Safely Move to Full Enforcement
Compare DMARC none, quarantine, and reject policies side by side. Learn the safe migration path from monitoring to full enforcement without breaking legitimate email.
Every DMARC journey starts with p=none and should end at p=reject. The challenge is getting there without blocking your own email. Most businesses stall at none because they're afraid of the jump — but with a structured progression, moving to full enforcement is straightforward and safe.
The Three Policies Compared
| p=none | p=quarantine | p=reject | |
|---|---|---|---|
| **Action on failure** | Deliver normally | Send to spam/junk | Block entirely |
| **Protection level** | None — monitoring only | Moderate — hides spoofed email | Maximum — blocks spoofed email |
| **Risk to legitimate email** | Zero | Low — misconfigured mail lands in spam | High — misconfigured mail is lost |
| **Visibility** | Full reports, no enforcement | Reports + spam filtering | Reports + full blocking |
| **Recommended duration** | 2-4 weeks minimum | 2-4 weeks per pct step | Permanent (goal state) |
| **Best for** | Discovery phase | Transition phase | Final enforcement |
What Each Policy Actually Does
p=none: Monitor Without Risk
The none policy tells receiving servers: "Deliver this email even if it fails DMARC, but send me a report about it." No email is blocked or quarantined. You are purely collecting data.
v=DMARC1; p=none; rua=mailto:[email protected]
This is where you discover every service sending email as your domain — your marketing platform, CRM, transactional email provider, support desk, and anything else you may have forgotten about. Without this phase, you will almost certainly block legitimate email later.
p=none offers zero protection
While you're on p=none, attackers can still spoof your domain and those emails will land in inboxes. This policy is a starting point, not a destination.
p=quarantine: The Safety Net
Quarantine tells receivers to treat failing emails as suspicious. In practice, this means they end up in the recipient's spam or junk folder. The email is still delivered — just not to the inbox.
v=DMARC1; p=quarantine; rua=mailto:[email protected]
This is the critical middle step. If you misconfigured a sender, the email lands in spam rather than disappearing. Your team or customers can still find it, and you have time to fix the issue before it causes real damage.
p=reject: Full Enforcement
Reject tells receivers to block failing emails entirely. They never reach the recipient in any folder. This is the strongest protection against domain spoofing and the goal every domain should work toward.
v=DMARC1; p=reject; rua=mailto:[email protected]
Once you reach reject, spoofed emails using your domain are stopped completely. This protects your brand, your customers, and your email reputation. It is also a requirement for BIMI, which displays your logo next to emails in supported inboxes.
The Safe Migration Path
Rushing from none to reject is the most common DMARC mistake. Here is the step-by-step progression that avoids breaking legitimate email.
Step 1: Start with p=none (Weeks 1-4)
v=DMARC1; p=none; rua=mailto:[email protected]; fo=1
Set up your DMARC record with p=none and an RUA address for aggregate reports. Run it for at least two to four weeks. During this time:
- Review your aggregate reports to identify every IP sending email as your domain
- Confirm that all legitimate senders pass both SPF and DKIM
- Fix any alignment issues you discover
- Use the free DMARC record checker to verify your record is published correctly
Step 2: Move to p=quarantine at pct=25 (Weeks 5-6)
v=DMARC1; p=quarantine; pct=25; rua=mailto:[email protected]
The pct tag lets you apply the quarantine policy to only 25% of failing messages. The other 75% are still delivered normally. This limits the blast radius if something is wrong.
Monitor your reports closely. If legitimate email is hitting spam, fix the authentication issue and wait another week before continuing.
Step 3: Increase to pct=50, then pct=100 (Weeks 7-10)
v=DMARC1; p=quarantine; pct=50; rua=mailto:[email protected]
Gradually increase the percentage. At each step, review reports and confirm no legitimate email is affected. Once you reach pct=100 (or simply remove the pct tag), all failing email is quarantined.
Step 4: Move to p=reject at pct=25 (Weeks 11-12)
v=DMARC1; p=reject; pct=25; rua=mailto:[email protected]
Now begin rejecting. At pct=25, only a quarter of failing messages are blocked. The rest fall back to quarantine. This gives you a final safety check before full enforcement.
Step 5: Full reject (Week 13+)
v=DMARC1; p=reject; rua=mailto:[email protected]
Remove the pct tag and your domain is fully enforced. Spoofed emails are blocked. Legitimate email — properly authenticated — flows normally.
Don't forget subdomains
Set an sp=reject policy for subdomains that don't send email. Attackers often target unprotected subdomains when the main domain is locked down.
Common Mistakes That Break Email
Skipping p=none entirely. You deploy quarantine or reject on day one, and your marketing platform's emails start landing in spam — or worse, get blocked. Always start with monitoring.
Staying on p=none for months. The monitoring phase should last weeks, not months. If you have been on none for more than two months, you are likely procrastinating. Review your DMARC reports and start moving forward.
Jumping from none to reject. Skipping quarantine removes your safety net. Quarantine lets you catch problems while the email is still recoverable. Go through the full progression.
Ignoring the pct tag. The pct tag exists for exactly this purpose — gradual rollout. Using it at each enforcement step dramatically reduces risk. See our pct tag guide for details.
Not monitoring after reaching reject. New email services, DNS changes, and configuration drift can break authentication at any time. You need ongoing monitoring, not a one-time setup.
When to Slow Down
Pause your progression if:
- Your DMARC reports show legitimate senders failing authentication
- You recently added a new email service that hasn't been configured for SPF or DKIM
- You see a spike in failures after a DNS change
- A third-party vendor is sending email on your behalf without proper authentication
Fix the underlying issue, confirm it in your reports, and then resume the progression.
Check Your Current Policy
See where your domain stands right now with our free DMARC record checker:
If you need to create or update your DMARC record for the next step in your progression, DMARC Creator can generate the right record for you.
For a broader look at the full enforcement journey including organizational readiness and stakeholder communication, see the Complete DMARC Enforcement Guide.
Stay Protected After Enforcement
Reaching p=reject is a milestone, not the finish line. The Email Deliverability Suite monitors your DMARC, SPF, DKIM, and MX records daily and alerts you the moment something changes.
Never miss a DMARC issue
Monitor your SPF, DKIM, DMARC and MX records daily. Get alerts when something breaks.
Start Monitoring