DMARC p=none: monitor only — collect reports but don't affect delivery (start here). p=quarantine: send authentication failures to spam — recipient can still find the email. p=reject: block authentication failures entirely — they never arrive. Always start at p=none, monitor reports for 2-4 weeks, fix authentication gaps, then advance through quarantine to reject. Never start at p=reject — you'll block your own email from services you forgot about.
DMARC Policy Levels: none vs quarantine vs reject
The Three Levels
p=none (Monitoring)
v=DMARC1; p=none; rua=mailto:[email protected]
What it does: Nothing to email delivery. Authentication failures are reported but not acted on.
Why start here: You need to see what's sending email as your domain before blocking anything. DMARC reports at p=none reveal:
- Legitimate services you forgot to authenticate
- Third-party tools sending as your domain
- Spoofing attempts (what DMARC is designed to stop)
How long: 2-4 weeks. Enough to capture all legitimate senders including infrequent ones (monthly invoicing, quarterly reports).
p=quarantine (Spam Filtering)
v=DMARC1; p=quarantine; pct=25; rua=mailto:[email protected]
What it does: Sends authentication failures to spam. Recipients CAN still find the email in their spam folder.
Why use it: Safety net before reject. If a legitimate sender's email is quarantined (sent to spam), you can fix the authentication and it's not permanently lost. Users can still find it in spam.
How long: 2-4 weeks at pct=25, then increase to pct=50, then pct=100.
p=reject (Full Enforcement)
v=DMARC1; p=reject; rua=mailto:[email protected]
What it does: Completely blocks authentication failures. Email never arrives. Maximum protection against spoofing.
Why it's the goal: p=reject is the only level that actually prevents impersonation. p=none and p=quarantine allow spoofed email to arrive (in inbox or spam). p=reject stops it entirely.
When to enable: Only after 4+ weeks of clean quarantine with pct=100 and no legitimate email being affected.
The Safe Advancement Path
| Week | Policy | pct | Action |
|---|---|---|---|
| 1-4 | p=none | — | Collect reports, identify all senders |
| 5 | p=quarantine | 25% | Quarantine 25% of failures |
| 6 | p=quarantine | 50% | Monitor for quarantined legitimate email |
| 7-8 | p=quarantine | 100% | Full quarantine enforcement |
| 9+ | p=reject | 100% | Full rejection (permanent) |
Subdomain Policy (sp= tag)
The sp= tag controls policy for subdomains:
v=DMARC1; p=reject; sp=none; rua=mailto:[email protected]
This means:
- Root domain (yourdomain.com): p=reject (full enforcement)
- All subdomains (*.yourdomain.com): p=none (monitoring only)
Useful when your root domain is fully authenticated but you're still setting up subdomain sending.
What Happens at Each Level
| Scenario | p=none | p=quarantine | p=reject |
|---|---|---|---|
| Legitimate email, passes auth | Delivered ✓ | Delivered ✓ | Delivered ✓ |
| Legitimate email, fails auth | Delivered ✓ (but reported) | Spam folder ⚠ | Blocked ✗ |
| Spoofed email | Delivered ✓ (no protection) | Spam folder ⚠ | Blocked ✓ |
Only p=reject provides real protection against spoofing.
Practitioner note: The most dangerous moment in DMARC advancement is moving from p=none to p=quarantine. That's when you discover the billing system nobody told you about, or the recruiting tool sending as your domain. Check DMARC reports thoroughly at p=none before advancing. I've seen companies quarantine their own customer invoices because the finance team's tool wasn't in the authentication records.
Practitioner note: If you're at p=none and have been for months with no plan to advance — you're not protected. p=none is monitoring, not enforcement. Spoofed emails still arrive in recipients' inboxes. Make a plan to advance. The reports are there to help you do it safely.
Step-by-step advancement: DMARC setup guide.
If you need DMARC advanced safely, schedule a consultation.
Sources
- RFC 7489: DMARC (Section 6 — Policy)
- Google: DMARC Setup
v1.0 · March 2026
Frequently Asked Questions
What does p=none actually do?
Nothing to the email — it delivers normally regardless of authentication. What it does: tells receiving servers to send you DMARC aggregate reports showing all authentication results. It's monitoring mode. Essential for discovering what sends email as your domain before enforcing.
What's the difference between quarantine and reject?
Quarantine sends failures to the spam folder — the recipient can find and read the email if they check spam. Reject blocks the email entirely — it never arrives, period. Use quarantine as a safety step before reject: if a legitimate sender is quarantined, you catch it before it's completely blocked.
How long should I stay at each level?
p=none: 2-4 weeks minimum (identify all senders). p=quarantine: 2-4 weeks (verify no legitimate email is quarantined). p=reject: permanent goal. Total path: 6-12 weeks. Don't rush — the cost of blocking legitimate email is higher than the cost of waiting.
Can I apply quarantine/reject to only some email?
Yes. The pct= tag controls what percentage of failures the policy applies to. Start with pct=25 (apply to 25% of failures), increase to 50, then 100. This limits the blast radius if something is misconfigured.
Does p=none satisfy Gmail/Yahoo requirements?
Yes. Gmail and Yahoo require DMARC to be published — p=none satisfies this minimum requirement. However, p=none provides zero protection against spoofing. You should advance to p=reject for actual security.
Want this handled for you?
Free 30-minute strategy call. Walk away with a plan either way.