What are the best practices for implementing a DMARC policy, and should you use reject or quarantine?
Matthew Whittaker
Co-founder & CTO, Suped
Published 23 May 2025
Updated 16 Aug 2025
5 min read
Implementing a DMARC policy is a crucial step for securing your domain against email spoofing, phishing, and other unauthorized uses. It works alongside SPF (Sender Policy Framework) and DKIM (DomainKeys Identified Mail) to give mailbox providers clear instructions on how to handle emails that claim to be from your domain but fail authentication checks.
The core of a DMARC policy lies in the action you instruct receiving mail servers to take: none, quarantine, or reject. Each policy level has distinct implications for your email deliverability and security posture, and choosing the right one requires a thoughtful approach.
Many organizations wonder if they should jump straight to a reject policy or if a phased rollout, starting with quarantine, is the safer and more effective path. Let's explore the best practices for DMARC policy implementation and navigate the nuances between these crucial policy options.
DMARC builds upon the existing email authentication protocols, SPF and DKIM. SPF specifies which mail servers are authorized to send email on behalf of your domain, while DKIM uses cryptographic signatures to verify that an email hasn't been tampered with in transit. DMARC ties these together by providing a framework for policy enforcement and reporting.
For email receivers like Google and Yahoo, DMARC is critical for determining whether an incoming email is legitimate or a potential spoofing attempt. A correctly configured DMARC policy significantly enhances your domain's reputation, which is vital for ensuring your emails reach the inbox rather than the spam folder or a blocklist (or blacklist).
Without a DMARC policy, or with one set to p=none, you're essentially allowing anyone to send emails pretending to be from your domain, which makes your brand vulnerable to phishing attacks. This is why major mailbox providers now require DMARC for bulk senders.
The DMARC policy rollout journey
The recommended approach to DMARC implementation is a gradual, phased rollout, starting with a p=none policy. This policy instructs receiving servers to take no action on emails that fail DMARC authentication, but it still generates aggregate (RUA) and forensic (RUF) reports.
These reports are invaluable for gaining visibility into your email ecosystem, identifying legitimate sending sources that might not be correctly authenticated, and detecting malicious activity. It's crucial to analyze these reports thoroughly to ensure all your legitimate email streams are passing SPF and DKIM authentication with proper DMARC alignment. You can find more details on when to switch DMARC policies to an enforcing state.
A typical DMARC record with a p=none policy might look like this:
Once you have a clear understanding of your email sending infrastructure and are confident that all legitimate emails are correctly authenticated, you can begin the transition to an enforcing policy. The choice between quarantine and reject depends on your risk tolerance and the maturity of your DMARC implementation. It is important to understand the impact of each policy.
What it does
Spam folder delivery: Emails that fail DMARC authentication are accepted by the receiving server but are typically placed in the recipient's spam or junk folder. The final decision often rests with the recipient's mail service.
Less disruptive: This policy is a safer intermediate step as it minimizes the risk of legitimate emails being completely blocked if there are still any misconfigurations or unknown sending sources.
When to use it
Testing phase: Ideal after p=none to catch any lingering issues before full enforcement. It's a key part of Microsoft's DMARC setup guidance.
Gradual rollout: Allows you to monitor for false positives without immediately blocking emails.
What it does
Outright rejection: Emails that fail DMARC authentication are rejected by the receiving server and are not delivered to the recipient at all. This provides the strongest protection against spoofing.
Zero tolerance: Ensures that only emails that properly authenticate and align with your DMARC policy reach the inbox.
When to use it
Full enforcement: Once you are 100% confident that all legitimate emails sent from your domain will pass DMARC, p=reject offers the highest level of security.
Protecting against spoofing: It's the ultimate defense against impersonation and phishing attacks that leverage your domain.
Transitioning directly from p=none to p=reject without a quarantine phase is generally not recommended unless you have a very simple email setup and absolute certainty about all your sending sources. Even then, it carries significant risk. You can learn more about how to implement p=reject safely.
Best practices for DMARC implementation
When moving towards an enforcing DMARC policy, consider using the pct (percentage) tag. This allows you to apply your policy to a subset of your email traffic, typically starting with a small percentage and gradually increasing it. For instance, p=quarantine; pct=10; means only 10% of unauthenticated emails will be quarantined, while the rest are treated as p=none. This provides a controlled way to safely transition your DMARC policy without causing widespread deliverability issues.
Transitioning to DMARC enforcement
Monitor reports:Continuously analyze DMARC reports to identify all legitimate sending services and ensure they pass SPF/DKIM authentication and DMARC alignment. Look for any unexpected sources or failures.
Iterate policy: Start with p=none, move to p=quarantine (optionally with pct), and only then consider p=reject when you are fully confident.
Educate stakeholders: Ensure your team, especially marketing and IT, understands DMARC's implications and how it affects email deliverability.
Views from the trenches
Best practices
Start with p=none and analyze DMARC reports thoroughly to map all legitimate sending sources.
Gradually move to p=quarantine, using the pct tag for a phased rollout if needed.
Ensure all third-party email service providers (ESPs) sending on your behalf are correctly configured for SPF and DKIM.
Regularly monitor DMARC reports even after reaching p=reject to detect any new issues or unauthorized senders.
For domains that should not send email, set a DMARC policy of p=reject immediately.
Common pitfalls
Skipping the p=none or p=quarantine phases and jumping directly to p=reject, leading to legitimate emails being blocked.
Not monitoring DMARC reports, thus missing issues with legitimate email flows or ongoing spoofing attempts.
Ignoring the pct tag, which can cause large-scale disruptions if issues arise during policy enforcement.
Failing to account for all legitimate sending sources, including transactional, marketing, and internal systems.
Assuming all mailbox providers treat quarantine and reject policies identically, which is not always the case.
Expert tips
Use DMARC monitoring services to easily interpret aggregate reports and identify authentication failures.
Consider a DMARC policy of p=quarantine for parked or non-sending domains until you are ready for reject.
Regularly review your DMARC record to ensure it is up-to-date with your current email sending practices.
Implement DMARC for all your domains, including subdomains, to achieve comprehensive protection.
Collaborate between IT, security, and marketing teams to ensure a smooth DMARC implementation process.
Marketer view
A marketer from Email Geeks says to apply DMARC policy to a low percentage of messages initially using the percentage options. This allows for safe scaling.
2023-09-02 - Email Geeks
Marketer view
A marketer from Email Geeks says to dial up enforcement as confidence grows that no legitimate mail flows are impacted, eventually reaching 100%.
2023-09-02 - Email Geeks
Securing your email future
Implementing a DMARC policy, whether quarantine or reject, is a critical component of modern email security. It protects your brand, prevents abuse of your domain, and ultimately contributes to better email deliverability.
While reject offers the highest level of protection, a cautious and informed approach, typically involving a phased rollout starting with none and progressing to quarantine, is the most prudent strategy to ensure continuous email flow and prevent unintended disruptions. The key is thorough monitoring and a commitment to maintaining correct authentication for all your legitimate email.
Google and Yahoo, DMARC is critical for determining whether an incoming email is legitimate or a potential spoofing attempt. A correctly configured DMARC policy significantly enhances your domain's reputation, which is vital for ensuring your emails reach the inbox rather than the spam folder or a blocklist (or blacklist).
