How to safely transition your DMARC policy to quarantine or reject

An illustration of a safe, phased path forward, representing a DMARC policy transition.

Setting up a DMARC record is a fantastic first step towards securing your email domain. It tells the world you're serious about protecting your brand from phishing and spoofing. But creating a DMARC record with a policy of 'none' is just the beginning of the journey. The real security benefits come when you confidently move to a policy of 'quarantine' or, even better, 'reject'. This is where many people get stuck, worried that they might accidentally block their own legitimate emails.

That fear is understandable, but it doesn't have to be a blocker. Transitioning your DMARC policy is a process that, when done carefully and methodically, can be perfectly safe. It’s not about flipping a switch overnight; it's about a gradual, data-driven approach. In this guide, I'll walk you through the exact steps to safely transition your DMARC policy from a passive monitoring state to a powerful enforcement policy, ensuring your legitimate mail keeps flowing while illegitimate mail gets stopped.

Suped DMARC monitoring

Free forever, no credit card required

Learn more

Trusted by teams securing millions of inboxes

First, a quick policy recap

Before we dive into the transition process, let's quickly review what the different DMARC policies actually do. A DMARC policy instructs receiving mail servers on how to handle emails that claim to be from your domain but fail SPF and/or DKIM authentication checks.

The three DMARC policies

p=none (Monitoring)

v=DMARC1; p=none; rua=mailto:reports@yourdomain.com;

p=quarantine (Spam Folder)

v=DMARC1; p=quarantine; rua=mailto:reports@yourdomain.com;

p=reject (Block)

v=DMARC1; p=reject; rua=mailto:reports@yourdomain.com;

Policy Breakdown

p=none: This is the monitoring or 'report-only' mode. It has no impact on email delivery. It simply asks receivers to send you reports about your email traffic, which is crucial for the initial analysis phase.
p=quarantine: This policy asks receivers to treat unauthenticated emails as suspicious. Most will place these messages in the recipient's spam or junk folder. It's a lenient transitional policy that reduces the risk of outright blocking legitimate mail.
p=reject: This is the strongest policy. It instructs receivers to completely block any emails that fail DMARC checks. This offers the best protection against spoofing but requires complete confidence in your email authentication setup.

The entire process relies on starting with p=none. This phase is all about gathering data. By including a rua tag in your record, you'll start receiving aggregate reports. These reports are XML files that detail which servers are sending email on behalf of your domain and whether those emails are passing or failing authentication checks. This information is the bedrock of your transition plan.

A minimalist retro illustration of a person looking at data reports on a computer screen. The style is Malika Favre, with dominant colors of bright poppy red and deep royal blue. Vector art, high contrast. No words or alphanumeric characters.

Phase 1: Monitor and analyze with p=none

Your first DMARC record should always start with a monitoring policy. This allows you to collect data without any risk to your email delivery. The goal here is to get a complete picture of your entire email ecosystem. You need to identify every single service and server that sends email for your domain, from your primary mail provider like Google Workspace or Microsoft 365 to third-party services like marketing platforms, CRMs, and customer support tools.

You should let this monitoring phase run for at least a couple of weeks, but often longer. The duration isn't about a set number of days; it's about reaching a point where you are no longer discovering new, legitimate sending sources in your DMARC reports. For businesses with complex email setups, this could take a month or more. During this time, your job is to analyze the reports and ensure every legitimate source is properly configured with SPF and/or DKIM so that it passes DMARC.

Once your DMARC reports show that nearly all of your legitimate mail is passing DMARC checks, and you understand the source of any remaining failures, you're ready to consider moving to the next phase. Don't rush this; moving on too early is the most common mistake people make.

Phase 2: Transition to p=quarantine

Now that you're confident in your analysis, it's time to dip your toes in the water of enforcement. Instead of jumping straight to a full quarantine policy, we'll use a powerful but often overlooked tool: the percentage tag (pct). This tag lets you apply your policy to only a small percentage of failing emails, giving you a safe way to test the waters.

Example: starting the quarantine transition

DMARC Record with p=quarantine and pct=5

dns

v=DMARC1; p=quarantine; pct=5; rua=mailto:reports@yourdomain.com;

This record tells receivers to apply the quarantine policy to just 5% of emails that fail DMARC. The other 95% will be treated as if the policy was p=none.

By starting with a low percentage, you can monitor your reports and ensure no legitimate mail is being unexpectedly sent to spam. It's a safety net. If you see any problems, you can quickly revert the change or fix the underlying authentication issue for that sending source without having caused a major delivery problem. As you gain confidence, you can gradually increase your DMARC record percentage.

Start at p=quarantine; pct=5
After a week of clean reports, move to pct=25
After another successful week, increase to pct=50
Finally, move to pct=100 (or simply p=quarantine, as 100 is the default if the tag is omitted).

A minimalist retro illustration of a toggle switch being moved from an 'off' position to an 'on' position. The style is Malika Favre, with bright poppy red and deep royal blue colors. Vector art, high contrast. No text or alphanumeric characters.

Phase 3: Enforcing p=reject for maximum protection

Once you've been running at a full quarantine policy for a while with no issues, you can prepare for the final step: moving to p=reject. The difference between quarantine and reject is significant; a quarantine policy might allow a malicious email into a spam folder, but a reject policy stops it from being delivered at all. This is the ultimate goal for domain security.

Just like the move to quarantine, the switch to reject should be done gradually using the percentage tag. You can follow the exact same incremental process you used before. Start with p=reject; pct=5, monitor your reports, and slowly work your way up to 100%. This methodical approach minimizes risk and gives you multiple opportunities to catch any potential problems before they have a widespread impact.

p=quarantine

Impact

Failing mail is sent to the spam/junk folder. Delivery is not blocked, reducing the risk of lost legitimate messages if a source is misconfigured. It acts as a safety net during the transition.

Security level

Offers good protection by filtering suspicious mail away from the primary inbox, reducing the chances of a user interacting with a phishing attempt.

p=reject

Impact

Failing mail is blocked entirely and never reaches the recipient's mailbox. This is the most secure option but carries a higher risk if legitimate senders are not fully authenticated.

Security level

Provides the maximum level of protection against domain spoofing and direct phishing attacks, as malicious emails are prevented from being delivered at all.

Transitioning your DMARC policy is a marathon, not a sprint. By following this phased approach, moving from monitoring to quarantining and finally to rejecting, you can significantly bolster your email security without disrupting your business operations. Each step is built on the data and confidence gained in the previous one.

Remember, DMARC isn't a 'set and forget' protocol. Even after you reach p=reject, you should continue to monitor your reports. New sending services may be added over time, and you'll need to ensure they are properly authenticated. Staying vigilant is the key to maintaining long-term domain security.

Frequently asked questions

How long should I stay at p=none?

There's no fixed timeline. It depends entirely on the complexity of your email ecosystem. You should stay at p=none until your DMARC reports consistently show no new legitimate sending sources and all known sources are passing authentication. This could be a few weeks for a simple setup or several months for a large organization.

What if I see legitimate emails being quarantined?

If you see legitimate emails being quarantined, it means that sending source is not correctly configured for SPF and/or DKIM alignment. You should not move to a higher percentage or to p=reject. Instead, investigate the source in your DMARC reports, fix its authentication configuration, and continue monitoring until it passes DMARC checks consistently.

Can I have different policies for my main domain and subdomains?

Yes, you can. You can have a reject policy for your main domain and a different policy, like quarantine, for subdomains using the 'sp' tag. For example, v=DMARC1; p=reject; sp=quarantine; would enforce reject for your root domain but only quarantine for all subdomains. This can be useful if you're less certain about all the email sent from various subdomains.

Is it mandatory to move to p=reject?

While it is the ultimate goal for maximum security, some organizations may choose to stay at p=quarantine long-term. This is often a business decision where the risk of ever blocking a single legitimate email outweighs the risk of a spoofed email landing in a spam folder. However, for the best protection, moving to p=reject is highly recommended.