/Guides/DMARC Policy Levels Explained
DMARC Implementation Guide

DMARC Policy Levels Explained: p=none vs p=quarantine vs p=reject

Choosing the right DMARC policy (p=none, p=quarantine, or p=reject) is critical for email security. This guide compares all three enforcement levels, explains when to use each, and shows how to progress safely from monitoring to full protection in 2-3 weeks.

Quick Comparison: At a Glance

PolicyProtection LevelRiskBest For
p=none0% (Monitoring only)NoneDiscovery phase
p=quarantine~70% (Spam folder)LowTesting phase
p=reject100% (Full block)MediumProduction

Policy-by-Policy Breakdown

p=none (Monitoring Mode)

What it does: Collects data about email authentication but takes no enforcement action. Failed emails are delivered normally.

✓ Pros:

  • • Zero risk of blocking legitimate email
  • • Discover all email sources sending as you
  • • Identify SPF/DKIM configuration issues
  • • Safe for initial deployment

✗ Cons:

  • • Provides zero protection from spoofing
  • • Attackers can still impersonate your domain
  • • Not compliant with 2025 Google/Yahoo mandates
  • • Should only be temporary (7-14 days)

Example DMARC Record:

v=DMARC1; p=none; rua=mailto:dmarc@yourdomain.com; ruf=mailto:forensic@yourdomain.com; pct=100
Use Case: Discovery Phase Only
Deploy p=none when first implementing DMARC to discover email sources. Move to p=quarantine within 7-14 days after validating 95%+ authentication pass rate.

p=quarantine (Junk/Spam Folder)

What it does: Emails failing DMARC checks are marked as spam/junk but still delivered to recipients' spam folders.

✓ Pros:

  • • Moderate protection (~70% effective)
  • • Legitimate email recoverable from spam folder
  • • Safe stepping stone between p=none and p=reject
  • • Allows testing without hard blocks

✗ Cons:

  • • Some users still see spoofed emails in spam
  • • Not maximum protection (advanced attackers may bypass)
  • • Legitimate emails in spam reduce trust
  • • Still not 100% compliant with best practices

Example DMARC Record:

v=DMARC1; p=quarantine; rua=mailto:dmarc@yourdomain.com; pct=100; adkim=r; aspf=r
Use Case: Testing & Gradual Rollout
Use p=quarantine for 7-14 days to verify no legitimate email is being quarantined. Monitor user complaints before moving to p=reject for full protection.

p=reject (Full Enforcement)

What it does: Emails failing DMARC checks are completely blocked at the mail server level. They never reach the recipient's inbox or spam folder.

✓ Pros:

  • 100% protection from domain spoofing
  • • Compliant with Google/Yahoo 2025 mandates
  • • Best practice recommended by security experts
  • • Protects brand reputation and customer trust
  • • Required for BIMI (brand logo in inbox)

✗ Cons:

  • • Risk of blocking legitimate email if misconfigured
  • • Requires 95%+ authentication pass rate first
  • • No recovery for blocked emails
  • • Needs careful testing at p=quarantine first

Example DMARC Record:

v=DMARC1; p=reject; sp=reject; rua=mailto:dmarc@yourdomain.com; pct=100; adkim=s; aspf=s
Use Case: Production & Maximum Security
Deploy p=reject once you have verified 95%+ authentication pass rate and tested at p=quarantine. This is the target policy for all production domains to achieve maximum email security.

Using the pct Tag for Gradual Rollout

The pct (percentage) tag allows you to gradually roll out DMARC enforcement, reducing risk of blocking legitimate email:

How pct Works

The pct tag specifies what percentage of failing messages the policy applies to. For example, pct=50 means only 50% of emails failing DMARC will be quarantined/rejected. The other 50% are treated as if the policy were p=none.

Week 1: Start with 10% enforcement

v=DMARC1; p=quarantine; pct=10; rua=mailto:...

Only 10% of failing emails are quarantined. Monitor for issues with low impact.

Week 2: Increase to 50% enforcement

v=DMARC1; p=quarantine; pct=50; rua=mailto:...

Half of failing emails are quarantined. Gain confidence with moderate exposure.

Week 3: Full 100% enforcement

v=DMARC1; p=reject; pct=100; rua=mailto:...

All failing emails are rejected. Full DMARC protection achieved.

Pro Tip: Skip pct for p=none
Don't use pct with p=none - it has no effect since p=none doesn't enforce anything. Start using pct when moving to p=quarantine or p=reject.

Recommended Deployment Timeline

1

Days 1-7: Deploy p=none

Collect DMARC reports to discover all email sources. Goal: Identify and fix SPF/DKIM authentication issues.

Success Metric: 95%+ authentication pass rate across all email sources

2

Days 8-14: Upgrade to p=quarantine

Test enforcement in spam folder. Optional: Use pct=50 for gradual rollout.

Success Metric: No user complaints about missing legitimate emails

3

Day 15+: Move to p=reject

Full enforcement and maximum protection. Continue monitoring DMARC reports monthly.

✓ Target Achieved: 100% DMARC protection in 2-3 weeks

Automated Deployment: 1-2 Weeks Instead of 6+ Months
TrustYourInbox automates this entire timeline. We discover email sources, fix authentication issues, and progress through p=none → p=quarantine → p=reject automatically. Deploy DMARC 4x faster than manual processes. Start free trial

Which Policy Should You Use Right Now?

❓ Do you have a DMARC record deployed?

✗ No → Start with p=none

Generate your first DMARC policy with DMARC Policy Generator and deploy p=none for discovery

✓ Yes → Continue below

❓ What is your current policy?

Currently p=none:

  • • Check authentication pass rate in DMARC reports
  • • If 95%+ pass rate → Upgrade to p=quarantine
  • • If <95% pass rate → Fix SPF/DKIM first

Currently p=quarantine:

  • • Monitor for user complaints (7-14 days)
  • • If no issues → Upgrade to p=reject
  • • If complaints → Investigate authentication failures

Currently p=reject:

  • ✓ You're fully protected!
  • ✓ Continue monthly DMARC report monitoring
  • ✓ Consider enabling BIMI for brand logo in inbox

Related Guides

DMARC Quick Start Guide

Get started with DMARC in 15 minutes

Moving to p=reject Safely

Step-by-step guide to full enforcement

Creating Your First DMARC Record

Beginner-friendly DMARC setup guide

Get to p=reject in 1-2 Weeks, Not Months

TrustYourInbox automates the entire DMARC deployment process. We progress through p=none → p=quarantine → p=reject automatically, fixing authentication issues along the way. No manual policy updates or guesswork required.

Free DMARC Policy Tools

DMARC Domain Checker

Check what policy your domain currently has

DMARC Policy Generator

Generate p=none, p=quarantine, or p=reject policies

DMARC Analyzer

Analyze your current policy for issues

Policy Impact Simulator

Test policy changes before deployment

Domain Security Checker

Comprehensive DMARC, SPF, DKIM audit

SPF Surveyor

Check SPF authentication for your domain