When and why should I switch from DMARC p=none to p=quarantine or p=reject?
Michael Ko
Co-founder & CEO, Suped
Published 26 May 2025
Updated 17 Aug 2025
8 min read
When initially implementing DMARC, many organizations start with a p=none policy. This setting is purely for monitoring, allowing you to gather valuable insights into your email ecosystem without impacting email delivery. It's an essential first step to understand how your legitimate emails are performing regarding authentication and to identify any unauthorized senders spoofing your domain.
However, to truly leverage DMARC's security benefits and protect your brand from phishing and spoofing attacks, the goal is often to transition to an enforcement policy like p=quarantine or p=reject. Making this switch requires careful planning and a thorough understanding of your email sending infrastructure. In this guide, I will explain when and why you should consider moving to these stronger DMARC policies.
DMARC policies dictate how receiving email servers should handle messages that fail DMARC authentication checks. Each policy level offers a different degree of enforcement and control over your domain's email traffic.
The p=none policy, as mentioned, is primarily for monitoring. It tells the receiving server to take no specific action on emails that fail DMARC, but it still generates aggregate and forensic reports that are crucial for visibility. You can learn more about DMARC policies and their use cases to help guide your decision-making.
Moving to p=quarantine instructs receiving servers to treat emails that fail DMARC as suspicious. This usually means placing them into the recipient's spam or junk folder, rather than rejecting them outright. It's a stepping stone, allowing you to begin filtering out unauthorized emails while minimizing the risk of blocking legitimate mail. This policy can help reduce the impact of spoofing on your brand's reputation without completely disrupting email flow.
The strongest policy, p=reject, tells receiving servers to reject any email that fails DMARC. This means the email will not reach the recipient's inbox or spam folder, effectively blocking all unauthorized emails. This policy provides the highest level of protection against email spoofing and phishing attacks but requires complete confidence that all your legitimate sending sources are properly authenticated. If legitimate emails fail DMARC with this policy, they will simply disappear.
Quarantine policy
Impact on emails: Mail that fails DMARC is moved to the recipient's spam or junk folder. Recipients might still see these emails, but they are flagged as suspicious.
Security level: Provides a moderate level of protection, reducing the visibility of spoofed emails in primary inboxes.
Monitoring: Still allows for continued monitoring of failed emails, which can be useful for identifying any unexpected legitimate mail that is failing authentication.
Reject policy
Impact on emails: Mail that fails DMARC is completely blocked and never delivered to the recipient. This is the strongest action.
Security level: Offers the highest level of protection against exact domain spoofing and phishing attacks.
Risk: Higher risk of legitimate emails being rejected if not all sending sources are correctly authenticated and aligned. Mail will be lost.
The critical transition from monitoring to enforcement
The decision to move from p=none to an enforcement policy is driven by several factors, primarily the need for enhanced email security and compliance. In 2024, major mailbox providers like Gmail and Yahoo Mail introduced stricter requirements for bulk senders, making DMARC enforcement policies (p=quarantine or p=reject) essential for optimal deliverability. You can review whether Yahoo and Google will require DMARC in 2025.
While p=none provides visibility, it does not prevent malicious actors from sending emails impersonating your domain. Reports indicate that bad actors, including nation-state groups, actively seek out domains with a p=none policy to exploit them for phishing and other attacks. The immediate incentive for switching is to gain control over how receivers handle unauthenticated email from your domain, thereby mitigating these threats.
Before switching, it is essential to have a clear picture of all legitimate email streams originating from your domain. This includes emails sent from your primary mail server, marketing platforms, transactional email services, and any third-party applications. Each source must be properly authenticated with SPF and DKIM, and critically, achieve DMARC alignment. Without this comprehensive understanding, moving to an enforcement policy risks blocking your legitimate emails, leading to significant deliverability issues.
Monitor your DMARC reports thoroughly
Before even considering a switch, you must spend ample time analyzing your DMARC aggregate reports (RUA). These reports show which emails are passing or failing DMARC, SPF, and DKIM, along with their alignment. Look for any legitimate email flows that are not yet authenticating correctly. You should aim for near 100% authentication pass rates for all your authorized senders. Understanding and troubleshooting DMARC reports is a crucial step.
Some indirect mail flows, like forwarding or mailing lists, might legitimately fail DMARC. These are the emails that you risk losing when you move to an enforcing policy. You'll need to decide if the increased security is worth the potential loss of these specific email paths.
Steps to safely switch your DMARC policy
The transition from p=none to p=quarantine and then p=reject should be a phased approach. This allows you to observe the impact of each policy change and make necessary adjustments without disrupting legitimate email delivery.
After a comprehensive analysis of your p=none reports and ensuring all legitimate sources are authenticated, the next step is to move to p=quarantine. It's highly recommended to use the pct tag, which specifies the percentage of messages to which the DMARC policy should be applied. Start with a small percentage, like pct=10, and gradually increase it as you continue to monitor your reports. This allows you to observe the impact on a smaller scale before full enforcement.
Once you are confident that p=quarantine at pct=100 is not causing any issues with legitimate mail, you can then consider moving to p=reject. This should also be done gradually using the pct tag, starting with a low percentage for p=reject and increasing it over time. Remember that implementing p=reject safely is paramount to avoid deliverability issues.
Ongoing monitoring is key throughout this entire process. Continuously review your DMARC reports for any unexpected failures or anomalies. This iterative approach allows you to identify and resolve issues as they arise, ensuring a smooth and secure transition to a stronger DMARC policy. The goal is to safely transition your DMARC policy to an enforcement level that best suits your organization's security posture and risk tolerance.
Benefits of strong DMARC enforcement
Moving to an enforcing DMARC policy (quarantine or reject) offers significant benefits for your email security and deliverability. Primarily, it provides robust protection against phishing, spoofing, and other email-based attacks that rely on impersonating your domain. By instructing recipient mail servers to take action on unauthenticated mail, you effectively shut down a common avenue for cybercriminals. This actively helps protect your domain from exploitation.
A strong DMARC policy also significantly improves your email deliverability and sender reputation. When mailbox providers see that your domain is actively protecting itself with an enforcement policy, it signals trustworthiness. This can lead to better inbox placement rates for your legitimate emails and reduces the likelihood of your domain being flagged or added to a blacklist (or blocklist). The benefits of implementing DMARC extend beyond just security, contributing to overall email program health.
Furthermore, aligning with stronger DMARC policies helps your organization comply with evolving email security standards and best practices. As major mailbox providers increasingly demand DMARC enforcement, proactive adoption demonstrates a commitment to email security, which is beneficial for maintaining strong relationships with recipients and partners alike. This commitment becomes particularly important for bulk senders navigating new Google and Yahoo requirements.
Views from the trenches
Best practices
Always begin with a DMARC p=none policy and monitor reports for several weeks or months, depending on your mail flow complexity, to ensure all legitimate sending sources are identified and authenticated.
Ensure all your legitimate email sending infrastructure (including third-party services) is properly configured with SPF and DKIM and achieves DMARC alignment before moving to an enforcement policy.
Utilize the `pct` tag to gradually enforce DMARC. Start with a low percentage (e.g., `pct=10`) for quarantine, then gradually increase to `pct=100`, before repeating the process for reject.
Continuously monitor your DMARC reports after each policy change to quickly identify and resolve any unintended legitimate email failures.
Common pitfalls
Switching directly to p=quarantine or p=reject without thoroughly understanding your email ecosystem can lead to legitimate emails being quarantined or blocked.
Not having a DMARC reporting solution in place makes it impossible to gain insights into email authentication failures and makes policy enforcement risky.
Ignoring indirect mail flows like mailing lists or email forwarding services, which often break DMARC authentication, can lead to legitimate mail loss when enforcing policies.
Underestimating the time required for DMARC implementation and monitoring, especially for complex organizations with many email sending sources.
Expert tips
Good reporting is critical, as free DMARC reporting solutions are generally not sufficient for complex email environments.
Organizations should view p=none as a temporary diagnostic phase, not a permanent solution, because malicious actors actively exploit domains with this policy.
Ensure that your email infrastructure is technically 'squeaky clean' and does not use odd encodings, as this can affect DMARC authentication.
Prioritize securing internal mail flows before moving to a p=reject policy to avoid internal email disruption.
Expert view
Expert from Email Geeks says that if you decide to enforce DMARC, you should monitor your DMARC reports with p=none for long enough to know all your mail flows, ensuring they are all DKIM signed without exceptions. This process could take from a few weeks for simple setups to six months for more complex infrastructures.
2024-05-11 - Email Geeks
Expert view
Expert from Email Geeks says that indirect mail flows typically cannot be fixed, and these are the recipients whose emails will be lost if you move from a p=none policy to an enforcing one.
2024-05-11 - Email Geeks
Securing your email ecosystem
Switching from DMARC p=none to p=quarantine or p=reject is a crucial step for bolstering your domain's email security and ensuring optimal deliverability. While the initial monitoring phase with p=none is vital for understanding your email ecosystem, it offers no protection against spoofing. Enforcing a DMARC policy allows you to actively defend your brand reputation and ensure that only authenticated emails reach your recipients.
The transition should be a methodical, phased process, prioritizing thorough monitoring and careful adjustment at each step. By embracing DMARC enforcement, you are not only protecting your domain from malicious attacks but also demonstrating a commitment to email best practices, fostering trust with mailbox providers, and ultimately improving your overall email program's performance.
Gmail and 
Yahoo Mail introduced stricter requirements for bulk senders, making DMARC enforcement policies (p=quarantine or p=reject) essential for optimal deliverability. You can review whether Yahoo and Google will require DMARC in 2025.
