If you’re rolling out DMARC, there’s a good chance you’ve run into the p=quarantine policy and wondered: “Do I actually need this step, or should I just go straight to reject?”
Fair question.
DMARC enforcement doesn’t have to (and probably shouldn’t) be an all-or-nothing leap. For many organizations, p=quarantine acts as a useful middle ground between monitoring and full rejection. This stage gives you a chance to actively protect your domain while still keeping an eye on legitimate traffic that might not be fully authenticated yet.
In other words: quarantine lets you tighten security without immediately slamming the door shut.
In this guide, we’ll cover:
- What the DMARC quarantine policy actually does
- How quarantine fits into the larger DMARC enforcement journey
- Differences between quarantine and reject, and when you should choose either policy
- Taking a phased approach to quarantine as you improve SPF and DKIM alignment
Let’s get into it.
Comparing DMARC policies: none vs. quarantine vs. reject
DMARC has three policy levels, each representing a different stage of enforcement.
You can think of them as a progression, with the quarantine stage firmly in the middle:
- p=none → Observing
- p=quarantine → Filtering
- p=reject → Blocking
| DMARC policy | What it does | Typical use case |
| p=none | Visibility only: Monitors email traffic without affecting deliverability | Initial visibility and assessment |
| p=quarantine | Controlled filtering: Sends suspicious mail to spam or junk folders | Risk reduction and transitional enforcement |
| p=reject | Full protection: Blocks unauthenticated mail completely | Full enforcement and strongest level of protection |
Many organizations move through these stages over time as they gain confidence in their email authentication setup. We cover the importance of this progression in more detail down below.
What does p=quarantine actually mean in DMARC?
The DMARC quarantine policy tells receiving mail servers to treat suspicious email cautiously instead of fully accepting it. In a DMARC record, the policy looks like this:
v=DMARC1; p=quarantine;
At a technical level, p=quarantine tells mailbox providers: “This message failed DMARC authentication. Treat it as suspicious.”
That suspicion usually comes from one of two issues:
- SPF alignment failed
- DKIM alignment failed
If neither passes in alignment with the sending domain, the message fails DMARC.
When this happens, the receiving provider may:
- Send the message to spam or junk
- Flag it as suspicious
- Place it in a quarantine folder
- Apply additional filtering rules
Importantly, p=quarantine does not guarantee blocking the way p=reject does — that’s the key difference between the two policies.
With a reject policy, the receiving server should refuse delivery outright. With quarantine, the message still may reach the recipient, but the recipient is much less likely to see or trust it.
This distinction is crucial because mailbox providers don’t all handle quarantine the same way. Gmail, Microsoft, Yahoo!, and others may interpret quarantine recommendations differently based on their own filtering systems and sender reputation models.
Learn more about p=reject in this guide.
Why you should implement a quarantine policy before moving to reject
Moving directly from p=none to p=reject can feel risky, especially for large organizations with complicated email ecosystems.
Most companies send mail from more places than they realize: marketing automation tools, CRM platforms, HR programs, ticketing systems, third-party vendors, and more. If even one legitimate sender isn’t configured correctly for SPF or DKIM alignment, a reject policy can stop important emails from flowing and create a whole new set of challenges.
Quarantine provides a safer transition point, acting as a practical bridge between visibility and full protection and allowing you to verify that email authentication settings are working correctly and in place for every legitimate sender before moving to p=reject.
You get plenty of time to:
- Reduce phishing exposure
- Test enforcement gradually
- Identify legitimate senders that still fail DMARC
- Limit disruption while tightening security
Once you’ve confirmed that all the right emails are getting through and all the questionable ones are getting guaranteed, you can move p=reject with confidence.
DMARC quarantine or reject: which should you choose?
This is one of the most common DMARC questions, and the answer depends on where you are in your enforcement journey.
Choose a quarantine policy if:
- You recently enabled DMARC
- You’re still discovering legitimate email sources
- Your organization has a large or decentralized email infrastructure
- You want to reduce spoofing risk without fully blocking mail yet
- You need time to validate SPF and DKIM alignment
Choose a reject policy if:
- You have visibility into all legitimate senders
- Your authentication setup is stable
- You want maximum anti-phishing protection
- You’re ready for full enforcement
- You want spoofed mail blocked before delivery
While a reject policy provides stronger protection because it prevents fraudulent mail from reaching inboxes entirely, quarantine still delivers meaningful security improvements over p=none.
Taking a phased approach to DMARC quarantine
If your organization isn’t ready for a reject policy yet, a phased rollout is usually the safest approach.
Here’s a basic DMARC quarantine policy:
v=DMARC1; p=quarantine; rua=mailto:dmarc-reports@example.com;
This record:
- Enables DMARC
- Applies a quarantine policy to failing messages
- Sends aggregate reports to the specified reporting address
But many organizations don’t start by quarantining all failing mail immediately. Instead, they use the pct (percentage) tag to roll out enforcement gradually while monitoring for legitimate traffic that still fails authentication.
For example:
v=DMARC1; p=quarantine; pct=25;
In this case, only 25% of failing messages receive quarantine treatment.
As you start validating SPF and DKIM alignment and verifying more legitimate email sources, you can increase the percentage of failing mail that gets quarantined.
A phased rollout may look something like this:
- pct=10
- pct=25
- pct=50
- pct=100
This gradual approach gives your security and IT teams room to:
- Monitor DMARC reports
- Identify overlooked senders
- Fix SPF or DKIM alignment issues
- Reduce the risk of disrupting legitimate email
If you have multiple business units, decentralized email management, older or difficult-to-track sending infrastructures, or work with several third parties that send on your behalf, the phased approach will help you reach enforcement without negatively impacting deliverability along the way.
Move through DMARC with more confidence
Getting to DMARC enforcement sounds straightforward until you start uncovering all the systems, vendors, and services sending email on your behalf. Many organizations reach this place and get stuck in monitoring mode far longer than they’d planned.
Valimail helps you simplify the path from p=none to p=quarantine and ultimately to full enforcement by giving you more visibility into your email ecosystem, identifying authentication gaps, and helping you increase security with less manual work and fewer deliverability surprises.
Whether you’re just starting DMARC or trying to safely move beyond quarantine, we’ve got you covered.
Frequently asked questions
What’s the difference between p=quarantine and p=reject?
A quarantine policy filters suspicious email while a reject policy blocks it outright. With p=quarantine, failing messages may still get delivered to spam or junk folders. With p=reject, the receiving server should refuse delivery entirely.
Should I use DMARC quarantine before reject?
In most cases, yes. Quarantine gives you time to validate legitimate senders, fix SPF and DKIM alignment issues, and safely test enforcement before moving to full rejection. This phased approach helps reduce the risk of accidentally blocking legitimate email.
Can emails still get delivered with a quarantine policy?
Yes. That’s one of the main differences between quarantine and reject. Mailbox providers can still deliver quarantined messages, but they’ll usually apply spam filtering or warning mechanisms that make the messages less visible and less trustworthy to recipients.
What does the pct tag do in a DMARC quarantine policy?
The pct tag controls the percentage of failing messages affected by the policy. Using this tag can help you gradually increase the percentage of quarantined mail as you gain confidence in your email authentication setup.
