DMARC Policy Explained – none, quarantine, reject

The DMARC p= tag tells receivers what to do when a message fails alignment. None means monitor only; quarantine and reject ask for stronger handling. Here's what each does.

What the policy tag does

When SPF or DKIM doesn't align with the From domain, the message "fails" DMARC. The p= value tells the receiver how to treat those failures: none (no action requested), quarantine (treat as suspicious), or reject (reject the message). Receivers interpret this; they're not required to follow it exactly, but major providers generally do.

Choosing a policy

Start with p=none and rua= so you get aggregate reports and see how many messages pass or fail. When you're confident your legitimate mail passes and you've fixed misconfigurations, move to p=quarantine, then consider p=reject. Gmail and Yahoo expect bulk senders to move beyond p=none.

Common mistakes

  • Setting p=reject before verifying SPF/DKIM alignment for all legitimate sending paths.
  • Staying on p=none indefinitely when you're ready to enforce.
  • Forgetting subdomain policy (sp=); it defaults to the main p= if not set.

Check my DMARC policy

Check your DMARC policy and alignment. No signup required.

Check my DMARC policyView pricing

FAQ

What is p=none?

Monitor only. Receivers don't quarantine or reject based on DMARC failure; they may still apply other filters. Used to collect reports and test without affecting delivery.

What is p=quarantine?

Receivers are asked to treat failing messages as suspicious—e.g. put in spam or a quarantine folder. Behavior varies by provider; the intent is to reduce inbox placement without hard reject.

What is p=reject?

Receivers are asked to reject messages that fail DMARC. Strongest policy; often used after you've validated SPF/DKIM and monitored with p=none then p=quarantine.

Can I use pct= with quarantine or reject?

Yes. pct= lets you apply the policy to a percentage of failing messages (e.g. pct=25). Useful for ramping up gradually. Default is 100.

Related reading

Read-only checks. We don't send email or modify DNS. How we check