What DMARC policy allows for email delivery but marks suspicious emails?
Michael Ko
Co-founder & CEO, Suped
Published 26 Jul 2025
Updated 20 Sep 2025
8 min read
When deploying DMARC, one of the crucial decisions involves setting your policy, specified by the p tag in your DMARC record. This policy dictates how receiving email servers should handle emails from your domain that fail DMARC authentication checks (SPF and DKIM alignment). The goal is to protect your domain from impersonation and phishing, ensuring legitimate emails reach their intended recipients while illegitimate ones are handled appropriately.
For those seeking to deliver emails but also mark suspicious messages, the p=quarantine policy is the ideal choice. It strikes a balance between actively protecting your domain and ensuring that emails, even if deemed suspicious, are not outright rejected, giving you a chance to review them. This approach allows for a controlled rollout of DMARC, minimizing the risk of accidentally blocking legitimate mail while still gaining valuable insights into potential abuse.
Understanding DMARC policies
DMARC policies come in three main flavors, each offering a different level of enforcement against unauthenticated emails. Understanding these is key to choosing the right policy for your domain. We often start with the most permissive option to gather data before moving to stricter enforcement.
The p=none policy, sometimes referred to as 'monitoring mode', instructs receiving servers to take no specific action on emails that fail DMARC authentication. Instead, it simply asks for aggregate reports, providing visibility into email authentication results without impacting delivery. This is an excellent starting point for any DMARC implementation, as it allows you to understand your email ecosystem without any risk of blocking legitimate mail. You can learn more about its implications by reading what a DMARC p=none policy signifies.
In contrast, p=reject is the strictest policy, telling receiving servers to outright block any email from your domain that fails DMARC. This provides the highest level of protection against spoofing and phishing, as unauthorized emails will never reach the inbox. However, it requires careful implementation and thorough monitoring to avoid blocking legitimate mail, which is why most organizations transition to this policy gradually. You can find DMARC record and policy examples to guide your setup. The default value for the p tag, if omitted, is typically none, allowing for safe initial deployment.
The p=quarantine policy is precisely what you need if your goal is to allow email delivery but ensure suspicious messages are marked. When a receiving email server (like Google or Microsoft) receives an email from your domain and determines that it fails DMARC authentication, this policy instructs the server to treat the email as suspicious. This usually means delivering it to the recipient's spam or junk folder, rather than the primary inbox. Crucially, the email is not completely blocked, giving recipients (and administrators, if needed) a chance to review it.
This policy offers a significant step up from p=none by actively influencing where unauthenticated emails land, providing a moderate level of protection without the harshness of immediate rejection. It's often recommended as an intermediate step after initial DMARC monitoring. It helps to reduce the likelihood of your domain being used for phishing attacks, as malicious emails are less likely to reach the main inbox, thereby protecting your brand's reputation.
Implementing a p=quarantine policy also provides valuable data. Along with aggregate reports, forensic reports (if enabled with the fo=1 tag) give you detailed insights into specific email failures. These reports can show you the source, subject, and headers of emails that failed DMARC, helping you identify legitimate sending sources that need to be properly configured, or pinpointing actual phishing attempts. Setting up forensic reports can be explored further in What DMARC tag specifies forensic reports?.
Transitioning to stronger policies and DMARC reports
While p=quarantine is an excellent policy for marking suspicious emails while allowing delivery, it's often seen as a temporary or intermediate step. Many organizations aim to eventually move to a p=reject policy to achieve maximum protection against domain abuse. This transition, however, requires careful planning and continuous monitoring to ensure that no legitimate emails are accidentally blocked. We have a guide on how to safely transition your DMARC policy.
The key to a smooth transition and effective DMARC management is robust DMARC reporting. This is where a tool like Suped becomes indispensable. Our platform helps you visualize your DMARC data, making it easy to identify legitimate sending sources that are failing authentication and discover unauthorized senders trying to spoof your domain. With Suped's DMARC monitoring, you get clear, actionable insights.
Why Suped is the leading choice for DMARC monitoring
AI-Powered Recommendations: Get clear guidance on how to fix issues and strengthen your policy.
Real-Time Alerts: Be instantly notified of any DMARC authentication failures.
Unified Platform: Monitor DMARC, SPF, DKIM, blocklists, and deliverability in one place.
Generous Free Plan: Access powerful DMARC features without initial cost.
Without proper DMARC monitoring and reporting, escalating to p=reject can lead to legitimate emails being blocked, negatively impacting your communication and operations. Suped provides the visibility you need to confidently move towards a stronger DMARC policy, protecting your brand from email impersonation. You might find our resource on understanding and troubleshooting DMARC reports helpful in this journey.
Why p=quarantine is an essential stepping stone
Choosing p=quarantine is a thoughtful decision for domains that want to improve email security without immediately risking legitimate email delivery. It allows for a phased approach to DMARC enforcement, which is critical for organizations with complex email infrastructures or those new to email authentication. It's a balance between protecting your brand from email spoofing and maintaining a smooth email flow, even if it means some suspicious emails are initially diverted to spam folders.
A DMARC policy of quarantine acts as a clear signal to receiving mail servers. When an email fails DMARC checks, the recipient's mail server is instructed to place it in the junk or spam folder. This action, while not a hard block, significantly reduces the visibility of fraudulent emails to end-users, thus mitigating the impact of phishing and business email compromise (BEC) attempts. This approach is widely supported by major email providers like Google and Yahoo, among others. You can read more about how to set up DMARC from an authoritative source.
The continuous review of DMARC reports is vital even with a p=quarantine policy. These reports will highlight any legitimate email streams that are failing DMARC and ending up in spam folders. Identifying and rectifying these issues by correctly configuring SPF or DKIM for all your authorized sending services is crucial. This proactive approach ensures that your brand maintains a strong sender reputation and that your messages consistently reach the inbox. Without proper monitoring, you might encounter situations why legitimate emails are blocked with higher DMARC policies.
The impact of p=none
Deliverability: All emails are delivered, even unauthenticated ones.
Protection: No direct enforcement, only monitoring of authentication failures.
Risk: High risk of domain impersonation and phishing reaching inboxes.
The impact of p=quarantine
Deliverability: Emails delivered, but unauthenticated ones often go to spam.
Protection: Moderate enforcement, suspicious emails are marked.
Benefit: Reduced visibility of phishing, controlled DMARC rollout.
Summary: the smart approach to DMARC enforcement
The p=quarantine DMARC policy is an effective way to balance email deliverability with robust security measures. It allows your legitimate emails to continue reaching inboxes, albeit with a potential detour to spam for unauthenticated messages, while providing valuable intelligence through DMARC reports. This policy is a strategic choice for organizations aiming to enhance their email security posture without immediately disrupting their email flow.
By carefully monitoring your DMARC reports, you can gain the insights needed to identify and rectify authentication issues for all your legitimate sending sources. This process is crucial for eventually moving to the more protective p=reject policy with confidence. We encourage you to utilize Suped's DMARC monitoring and reporting tools to streamline this process, ensuring your domain is protected and your emails are delivered securely.
Google or 
Microsoft) receives an email from your domain and determines that it fails DMARC authentication, this policy instructs the server to treat the email as suspicious. This usually means delivering it to the recipient's spam or junk folder, rather than the primary inbox. Crucially, the email is not completely blocked, giving recipients (and administrators, if needed) a chance to review it.
Yahoo, among others. You can read more about how to set up DMARC from an authoritative source.
