Blog

DMARC p=none vs quarantine vs reject — Which Should You Use and When?

March 31, 2026

Everyone explains what the three DMARC policies do. Nobody answers the actual question: which one should I set right now?

The answer depends on one thing — how long you've been collecting DMARC reports and what they show.

Start Here — p=none

p=none is not a finished setup. It's a starting point.

Set it, add rua= so you get reports, and read them for 2-4 weeks. That's it.

v=DMARC1; p=none; rua=mailto:dmarc@yourdomain.com

While you're at p=none, spoofed emails still reach inboxes. You have visibility but no protection. That's acceptable for the first few weeks — not for months.

Move to p=quarantine When:

• You've had p=none for at least 2 weeks
• Your DMARC reports show all legitimate senders passing alignment
• No unexplained IPs in the reports

What quarantine does: emails failing DMARC go to spam instead of inbox. Legitimate email from aligned senders is unaffected.

Start with pct=10 if you're nervous:

v=DMARC1; p=quarantine; pct=10; rua=mailto:dmarc@yourdomain.com

This applies quarantine to 10% of failing mail. Monitor for a week, then go to pct=100.

Move to p=reject When:

• You've been at p=quarantine for 1-2 weeks
• No legitimate email is going to spam
• All your senders are aligned

p=reject is the goal. It's the only policy that actually blocks spoofed email.

v=DMARC1; p=reject; rua=mailto:dmarc@yourdomain.com

The Decision Tree

• Been running DMARC under 2 weeks → stay at p=none
• Reports show failing senders → fix them first
• Reports clean for 2+ weeks → move to quarantine
• Quarantine clean for 1 week → move to reject

How to Read Your Reports

Use DomainPreflight DMARC Report Analyzer — paste your XML, see which senders are failing alignment and why.

Green = aligned, passing

Orange = partial failure, fix needed

Red = both fail, likely spoofing