DMARC quarantine vs reject: rollout criteria and checks
Choose when to move from monitoring to quarantine or reject using aligned sender coverage, unknown-source volume, and report evidence.
Every DMARC rollout eventually reaches the same fork: do you stay at quarantine or push to reject? The answer is rarely about the policy itself — it is about whether you can prove no legitimate mail will be lost when receivers stop forwarding it to junk and start dropping it on the floor.
If you need the full enforcement path, start with the authentication hub and the DMARC rollout guide, then use this page for the quarantine-versus-reject decision.
What each policy actually does
| Policy | Receiver action on failure | User impact |
|---|---|---|
| none | Deliver normally; report to rua | None — monitoring only |
| quarantine | Deliver to spam folder | Likely missed unless user checks spam |
| reject | Drop the message; SMTP 5.7.1 | Bounce to sender; never seen by recipient |
The graduation gate
Read your last 30 days of DMARC aggregate reports. For every source IP/domain that sent mail with your From: domain, ask: is this expected, and does SPF or DKIM align? If the answer is yes for 100% of volume, you can move from quarantine to reject. If you find unexpected sources still in there, fix them first.
The pct ramp
# Week 1
v=DMARC1; p=quarantine; pct=10; rua=aggregate-report-mailbox
# Week 2
v=DMARC1; p=quarantine; pct=25; rua=aggregate-report-mailbox
# Week 3
v=DMARC1; p=quarantine; pct=50; rua=aggregate-report-mailbox
# Week 4 (steady state)
v=DMARC1; p=quarantine; pct=100; rua=aggregate-report-mailboxWhen NOT to go to reject
- You have mailing-list traffic (forwards break SPF and often DKIM).
- You use third-party billing or CRM senders that haven't been authenticated yet.
- Your sales team forwards from personal Gmail and hasn't migrated.
- You see unexplained sources in DMARC reports that you can't yet attribute.
Frequently asked questions
| Question | Quarantine readiness | Reject readiness |
|---|---|---|
| Legitimate senders identified? | Mostly, with active remediation | Yes, with owners recorded |
| Legitimate volume aligned? | High and improving | Sustained near-complete coverage |
| Unknown volume explained? | Investigating low residual volume | No material unexplained source |
| Reporting stable? | At least one representative cycle | Multiple stable cycles |
Use DMARC monitoring to label sources and inspect aligned volume before changing policy. The rollout guide covers staged enforcement.
Last updated June 13, 2026.
Sources reviewed
- RFC 7489: DMARC(standard)
Factual review: June 13, 2026 by WillItInbox Editorial.
Keep reading