p=none vs p=quarantine vs p=reject: Which DMARC Policy Should You Use?
Published July 1, 2026
The p= tag in your DMARC record tells mailbox providers what to do with mail that claims to be your domain but fails authentication: p=none delivers it normally and just reports it, p=quarantine sends it to spam, and p=reject refuses it outright. Everyone should start at p=none to gather data, and move up only when reports show every legitimate sender passing. For most domains that's p=reject within one to two months.
What the policy tag controls, and what it doesn't
Your policy applies only to mail that fails DMARC (Domain-based Message Authentication, Reporting and Conformance): messages using your domain in the From line where neither SPF (Sender Policy Framework) nor DKIM (DomainKeys Identified Mail) passes with alignment. Legitimate mail that authenticates correctly is never touched by any policy, including reject.
The policy is also a request, not a command. Receivers apply it with local judgment: most honor it faithfully, but a provider that strongly believes a failing message is legitimate (a recognizable forwarded message, for example) may override it. In practice the major providers follow published policies closely enough that the distinctions below hold.
| Policy | Failing mail is… | Reports? | Risk to your own mail |
|---|---|---|---|
| p=none | Delivered normally | Yes | None (pure observation) |
| p=quarantine | Sent to spam/junk | Yes | Misconfigured senders land in spam |
| p=reject | Refused before delivery | Yes | Misconfigured senders bounce |
p=none: observation mode
p=none changes nothing about delivery: spoofed mail still lands in inboxes exactly as before. Its entire value is the reporting it switches on: with a rua address set, every major provider sends you daily aggregate reports listing every source sending as your domain and whether it authenticated.
Since 2024, p=none also carries a second meaning: it satisfies Gmail's and Yahoo's minimum DMARC requirement for bulk senders. That has led many domains to publish p=none and stop, which is a mistake: at p=none you are compliant but completely unprotected against spoofing. Treat it as the first step of a journey, not a destination.
p=quarantine: the spam-folder stage
At p=quarantine, receivers deliver failing mail to the recipient's spam or junk folder. At Gmail this literally means the Spam label; Microsoft 365 follows the quarantine or junk action configured by the receiving organization. The message still exists and a diligent recipient can find it, which is exactly the point of this stage: mistakes are recoverable.
Quarantine is where you catch the sender you missed. If a forgotten transactional system starts landing in spam, users notice, you get told, you fix its authentication, and no mail was permanently lost. The pct= tag makes this stage even gentler: pct=25 asks receivers to apply quarantine to only a random 25% of failing mail, so you can ramp 10 → 25 → 50 → 100 while watching reports between steps. Note that pct only meaningfully applies at quarantine and reject: pct with p=none does nothing.
p=reject: the destination
At p=reject, receiving servers refuse failing mail during delivery: it bounces back to the sender and never reaches a mailbox. This is the only policy that actually stops impersonation: a scammer sending fake invoices from your domain gets rejected at Gmail's front door rather than landing in a customer's spam folder where they might still fish it out.
Reject is also the standard that matters commercially. Cyber-insurance questionnaires, enterprise vendor-security reviews, and government guidance increasingly ask specifically for p=reject, because anything weaker leaves spoofing partially functional.
Don't forget subdomains: the sp= tag
By default, your policy applies to all subdomains too: mail from anything.yourdomain.com inherits the p= value. The sp= tag lets you set a separate subdomain policy, which is useful in both directions.
During rollout, sp=none with p=quarantine lets you enforce on your main domain while still observing subdomain traffic. At the end state, many organizations flip it: p=reject with sp=reject explicitly, because attackers who find the main domain locked down routinely pivot to spoofing plausible-looking subdomains like billing.yourdomain.com. If a subdomain never sends mail, rejecting for it costs nothing.
Readiness criteria for each step
The move between policies should be driven by report data, not the calendar. Before each tightening step, check that all of these hold:
- Every sending source in your reports is identified: you know what service or system each one is
- Every legitimate source passes DMARC with alignment (unknown-but-failing sources should be spoofers, not mysteries)
- Your overall pass rate has held above roughly 98% of legitimate volume for at least two consecutive weeks
- No new legitimate senders have appeared in reports during those two weeks
- You've confirmed low-volume senders: invoicing, password resets, calendar invites, scan-to-email devices
Frequently asked questions
- Is p=none good enough for Gmail and Yahoo compliance?
- Yes. Their bulk-sender rules require DMARC at any policy, and p=none qualifies. But compliance and protection are different things: at p=none, anyone can still spoof your domain and the mail gets delivered. Use p=none as a starting point, not an end state.
- Can I go straight to p=reject?
- Only if you're certain about every sender, and almost nobody is. Domains that jump straight to reject typically discover a forgotten newsletter tool or invoicing system when its mail starts bouncing. A few weeks at p=none costs nothing and removes that risk.
- What does pct=50 with p=reject actually do?
- Receivers apply reject to a random half of failing messages and downgrade the rest to quarantine. It's a way to ramp into full enforcement gradually. Note that Yahoo has historically not honored pct fully, so treat it as a softening mechanism, not a precise dial.
Keep reading
Reading about it is step one
DMARCPath does the watching for you: every sender identified, every failure explained, and a guided path to p=reject. One domain free, forever.
Start monitoring free →