The short answer is: a DMARC policy of p=quarantine instructs receiving mail servers to deliver emails that fail DMARC authentication checks to the spam or junk folder, not the primary inbox. It's a middle ground between taking no action (p=none) and outright rejecting the message (p=reject).
When you set a quarantine policy, you're telling the world's email providers like Gmail and Outlook to be suspicious of any mail claiming to be from your domain that doesn't pass the necessary checks. Instead of letting it land in the inbox where it could do harm, you're asking them to sideline it for review. As Sendmarc puts it, this policy tells servers to quarantine emails by moving them to the Spam or Junk folder.
How mailbox providers treat a quarantine policy
It's important to understand that a DMARC policy is a strong request, not an unbreakable command. The final decision on where an email lands always rests with the receiving mail server. However, in practice, all major mailbox providers take DMARC policies very seriously. If you set your policy to p=quarantine, you can be confident that providers like Gmail, Microsoft 365, and Yahoo Mail will divert failing messages away from the inbox.
Some documentation, especially in enterprise contexts, mentions a dedicated "quarantine mailbox" where an administrator can review messages. While this exists in some corporate environments, for the vast majority of email received by consumer mailboxes, quarantine simply means delivery to the junk folder.
What triggers a p=quarantine policy?
The p=quarantine policy is only triggered when an email fails DMARC authentication. This is a specific condition. It doesn't mean the email is just spammy; it means it failed a fundamental identity check. A DMARC failure occurs when an email fails both SPF and DKIM checks including alignment.
Here's a quick breakdown:
- SPF (Sender Policy Framework): This check verifies that the server sending the email is on a list of approved servers for your domain. For DMARC to pass, the domain in the "From" header must align with the domain used for the SPF check.
- DKIM (DomainKeys Identified Mail): This check adds a digital signature to your email to prove it hasn't been tampered with. For DMARC, the domain in that signature must align with the domain in the "From" header.
An email only fails DMARC if it fails both of these mechanisms. If it passes just one of them, it passes the DMARC check, and the quarantine policy won't be applied.
When to use p=quarantine
The p=quarantine policy is an essential step on the path to full DMARC enforcement. Starting with p=none is great for collecting data, but it offers no protection. As Email on Acid notes, with p=none, "potentially malicious email spoofing a domain could land in the inbox."
Moving to p=quarantine allows you to start protecting your domain from spoofing while still having a safety net. If you have legitimate emails that are failing DMARC for some reason, they will go to the recipient's spam folder instead of being deleted entirely. This gives you time to analyze your DMARC reports, fix any authentication issues with your legitimate sending services, and then confidently move to a p=reject policy.
The bottom line
So, does p=quarantine deliver mail to the inbox? No. It directs mail that fails authentication to the spam folder. It is an indispensable tool for securing your domain, protecting your recipients from phishing, and improving your overall email deliverability by building a trustworthy reputation with mailbox providers.
Does the DMARC 'pct' tag affect aggregate reports?
What is the default value for the DMARC 'p' tag?
Does DMARC authenticate the 'From' header directly?
What does the 'ruf' DMARC tag stand for?
Is a DMARC record mandatory for email sending?
What DMARC policy allows for email delivery but marks suspicious emails?
