DMARC Policy: None vs Quarantine vs Reject

DMARC (Domain-based Message Authentication, Reporting and Conformance) sits on top of SPF and DKIM. SPF and DKIM prove a message was authorized by someone who controls DNS. DMARC tells receivers what to do when those checks fail or when the authenticated domain does not align with the visible From: address.

The policy lives in the p= tag of your DMARC TXT record at _dmarc.yourdomain.com. Three values matter for production mail:

• p=none (monitor)
• p=quarantine (soft enforce)
• p=reject (hard enforce)

Receivers that honor DMARC (Gmail, Yahoo, Microsoft, Apple, and most large mailbox providers as of 2026) read this tag after they evaluate SPF and DKIM alignment. The policy does not replace SPF or DKIM. It is the enforcement instruction for what happens when auth fails.

Alignment comes first

Policy is irrelevant if your legitimate mail does not achieve DMARC pass. Before you move from none to quarantine, confirm that your primary sending paths (M365, Google Workspace, ESP marketing, transactional SaaS) all show dmarc=pass in Authentication-Results on test messages. If you enforce while alignment is broken, you punish your own campaigns.

What receivers do

A monitor-only policy tells mailbox providers: report failures to me, but do not change delivery based on DMARC alone. Failed messages can still reach the inbox. Spoofed mail can too.

When none is correct

• First 2-4 weeks after publishing DMARC for the first time
• While you discover all legitimate senders (payroll SaaS, CRM, ticket system, old ESP)
• When you are fixing alignment on an ESP relay before enforcement

When none is wrong

• 6+ months of clean aggregate reports and you still have not moved
• After a phishing incident where your domain was impersonated
• When your auditor asks for "DMARC enforcement" and you hand them a p=none TXT record

Honestly, monitor-only in 2026 is fine as a starting line, not a finish line. Receivers increasingly treat long-term none as a signal that the domain owner is not serious about spoofing protection. It does not directly spam-folder your mail, but it does nothing to stop others from abusing your domain.

Example record (monitoring phase)

v=DMARC1; p=none; rua=mailto:[email protected]; adkim=r; aspf=r; pct=100

Publish at _dmarc.yourdomain.com. The rua= address receives aggregate XML reports (usually daily). Someone must actually read them.

What receivers do

Quarantine tells receivers to treat failing mail as suspicious. Delivery varies by provider: spam folder, junk, or "quarantine" in enterprise filters. The message is not hard-rejected at SMTP time in most cases, so false positives are recoverable.

Why quarantine before reject

Legitimate mail still fails DMARC occasionally: forwarding, mailing lists, a forgotten SaaS tool on an old subdomain, a contractor using a personal SMTP relay. Quarantine gives you signal without bouncing payroll notices to void.

When to move to quarantine

• Aggregate reports show 95%+ of your volume passing DMARC for 2+ consecutive weeks
• You have identified every failing source in RUA reports and either fixed or exempted it
• You are ready to explain to the business why some old mail paths may need reconfiguration

Staging with pct=

Do not flip the entire domain to quarantine on day one. Use the pct= tag to enforce on a fraction of failing mail first:

v=DMARC1; p=quarantine; pct=25; rua=mailto:[email protected]; adkim=r; aspf=r

After two clean weeks at pct=25, move to 50, then 100. If failures spike, drop pct= or revert to none while you fix the sender.

We've seen teams skip pct= and quarantine 100% of failing mail on a Friday afternoon. Monday morning support queue was memorable (and not in a good way).

What receivers do

Reject instructs providers to block unauthenticated mail at or before delivery. Failures bounce or disappear. Spoofing your domain becomes much harder because there is no inbox placement for unsigned mail.

When reject is appropriate

• Financial services, healthcare, and regulated vendors under NIS2 or SOC2 scrutiny
• Brands actively targeted by BEC (business email compromise) phishing
• Domains with stable, documented sending infrastructure and 30+ days of clean quarantine at pct=100

When reject is premature

• You still have failing legitimate sources in aggregate reports
• Marketing and transactional mail use different ESPs and only one is aligned
• Nobody on the team owns DMARC report review

Blunt take: jumping straight to reject without quarantine staging is an ego move, not a security move. The spoofing risk you eliminate is real. The self-inflicted outage risk is also real.

Example record (full enforcement)

v=DMARC1; p=reject; rua=mailto:[email protected]; adkim=r; aspf=r; pct=100

Some providers also accept sp=reject for subdomain policy. If you send from mail.yourdomain.com or news.yourdomain.com, set subdomain policy explicitly or publish per-subdomain DMARC records.

Subdomain policy (sp=)

The sp= tag sets policy for subdomains that do not have their own _dmarc record. If your root domain is p=reject but sp=none, attackers pivot to fake-billing.yourdomain.com. Match sp= to your root policy unless you have a documented reason not to.

Alignment modes (adkim= and aspf=)

• Relaxed (r): subdomain of organizational domain counts as aligned. Default for most SMBs.
• Strict (s): exact domain match only. Harder to maintain with multi-subdomain ESP setups.

Strict alignment is overrated for most SMBs until enforcement is stable. Get to quarantine with relaxed alignment first. Tighten later if your threat model demands it.

Common rollout mistakes

• Changing policy without reading aggregate reports (you enforce blind)
• Forgetting a subdomain that still sends mail (returns path, helpdesk, old marketing site)
• Removing rua= after moving to reject (you lose visibility when a new SaaS tool starts sending)
• Setting p=reject while DKIM keys are expired on one ESP (that ESP's mail bounces in bulk)

dig TXT _dmarc.yourdomain.com +short

Gmail's Authentication-Results header shows the effective policy and disposition: dmarc=pass, dmarc=fail action=none, action=quarantine, or implicit reject on aligned failures under strict sender rules.

Microsoft 365 and Outlook.com follow similar DMARC evaluation through Exchange Online Protection. Hybrid setups (on-prem SMTP relay + cloud mailbox) often fail alignment on the relay hop until you sign outbound mail or align the envelope-from on the edge server.

Neither provider publishes exact spam-filter weighting for p=none vs. quarantine on passing mail, but senders with long-term none and poor alignment see lower inbox placement over time in Google Postmaster domain reputation. Enforcement plus clean auth is the combination that stabilizes placement.

For EU SMBs, NIS2 Article 21 technical measures (Directive 2022/2555, transposed in member states through 2024-2025) expect documented email authentication controls. A monitor-only policy with no rollout plan is a weak audit answer in 2026. Quarantine or reject with stored aggregate reports is a stronger one.