DMARC p=quarantine vs p=reject: when to graduate
p=none monitors. p=quarantine warns. p=reject blocks. The decision tree for moving between them and the metrics that tell you it is safe.
DMARCPolicyAuthentication
Every DMARC rollout eventually reaches the same fork: do you stay at quarantine or push to reject? The answer is rarely about the policy itself — it is about whether you can prove no legitimate mail will be lost when receivers stop forwarding it to junk and start dropping it on the floor.
What each policy actually does
| Policy | Receiver action on failure | User impact |
|---|---|---|
| none | Deliver normally; report to rua | None — monitoring only |
| quarantine | Deliver to spam folder | Likely missed unless user checks spam |
| reject | Drop the message; SMTP 5.7.1 | Bounce to sender; never seen by recipient |
The graduation gate
Read your last 30 days of DMARC aggregate reports. For every source IP/domain that sent mail with your From: domain, ask: is this expected, and does SPF or DKIM align? If the answer is yes for 100% of volume, you can move from quarantine to reject. If you find unexpected sources still in there, fix them first.
The pct ramp
Quarantine ramp over 4 weekstext
# Week 1
v=DMARC1; p=quarantine; pct=10; rua=mailto:[email protected]
# Week 2
v=DMARC1; p=quarantine; pct=25; rua=mailto:[email protected]
# Week 3
v=DMARC1; p=quarantine; pct=50; rua=mailto:[email protected]
# Week 4 (steady state)
v=DMARC1; p=quarantine; pct=100; rua=mailto:[email protected]When NOT to go to reject
- You have mailing-list traffic (forwards break SPF and often DKIM).
- You use third-party billing or CRM senders that haven't been authenticated yet.
- Your sales team forwards from personal Gmail and hasn't migrated.
- You see unexplained sources in DMARC reports that you can't yet attribute.
Frequently asked questions
Keep reading