DMARC Quarantine vs Reject: Which Policy Should You Use?

DMARC has three policies: none, quarantine, and reject. Once you've moved past monitoring (p=none), the real question is whether to quarantine or reject failing emails. Here's how to decide.

Quick Comparison

How Quarantine Works

With p=quarantine, receiving mail servers route failing emails to the recipient's spam or junk folder. The email still arrives — it's just flagged as suspicious.

v=DMARC1; p=quarantine; rua=mailto:dmarc@yourdomain.com

Pros:

• Spoofed emails don't reach the inbox
• Legitimate emails that fail (due to misconfiguration) can still be found in spam
• Lower risk during the transition period
• Gives you a safety net while you fine-tune authentication

Cons:

• Spoofed emails are still delivered (just to spam)
• Recipients might still see and interact with malicious email in spam
• Doesn't fully protect your brand

How Reject Works

With p=reject, receiving mail servers block failing emails entirely. They never reach the recipient in any folder.

v=DMARC1; p=reject; rua=mailto:dmarc@yourdomain.com

Pros:

• Maximum protection against spoofing
• Spoofed emails are completely blocked
• Strongest signal to email providers that you take security seriously
• Required for BIMI (Brand Indicators for Message Identification)

Cons:

• Any misconfigured legitimate email is also blocked
• No safety net — lost emails can't be recovered from spam
• Requires confidence that all legitimate email is properly authenticated

The Recommended Path

Most organizations should follow this progression:

Phase 1: Monitor (p=none)

v=DMARC1; p=none; rua=mailto:dmarc@yourdomain.com

Collect reports for 2-4 weeks. Identify all legitimate email sources and fix authentication issues.

Phase 2: Partial Quarantine (p=quarantine; pct=25)

v=DMARC1; p=quarantine; pct=25; rua=mailto:dmarc@yourdomain.com

Apply quarantine to 25% of failing email. Monitor for any legitimate email ending up in spam.

Phase 3: Full Quarantine (p=quarantine)

v=DMARC1; p=quarantine; rua=mailto:dmarc@yourdomain.com

Increase to 100%. Run for 1-2 weeks with no issues.

Phase 4: Partial Reject (p=reject; pct=25)

v=DMARC1; p=reject; pct=25; rua=mailto:dmarc@yourdomain.com

Start rejecting 25% of failing email. The remaining 75% still gets quarantined.

Phase 5: Full Reject (p=reject)

v=DMARC1; p=reject; rua=mailto:dmarc@yourdomain.com

Full enforcement. Maximum protection.

When to Stay on Quarantine

Quarantine may be the right long-term choice if:

• You have many third-party senders that you can't fully control (marketing platforms, CRMs, transactional email services)
• Your organization changes email services frequently and misconfigurations are common
• You forward email heavily — forwarding often breaks SPF and can cause DMARC failures
• You're not sure all legitimate sources are authenticated and want a safety net

When to Move to Reject

Move to reject when:

• All legitimate email sources are authenticated with SPF and DKIM
• Your DMARC reports show zero or near-zero legitimate failures
• You've run quarantine for several weeks with no issues
• You want maximum protection against domain spoofing
• You want BIMI support — BIMI requires p=reject

Subdomain Considerations

Don't forget subdomain policies. Use sp= to set a separate policy for subdomains:

v=DMARC1; p=reject; sp=quarantine; rua=mailto:dmarc@yourdomain.com

This rejects failing email from your main domain but only quarantines from subdomains. Useful if subdomains have different email configurations.

Check Your Current Policy

See what policy you're currently running:

Monitor Your DMARC Records

Checking once is good. Monitoring continuously is better. The Email Deliverability Suite watches your SPF, DKIM, DMARC, and MX records daily and alerts you when something breaks.