When switching DMARC configuration from none to quarantine, is it best to do so in increments, or all at once?
Michael Ko
Co-founder & CEO, Suped
Published 5 May 2025
Updated 19 Aug 2025
8 min read
Moving your DMARC policy from "none" to "quarantine" is a significant step towards better email security and deliverability. The "none" policy, often used during initial DMARC setup, monitors your email flow without enforcing any actions on unauthenticated messages. Switching to "quarantine" tells recipient mail servers to treat unauthenticated emails from your domain with suspicion, typically by moving them to the spam or junk folder.
The question of whether to transition in increments or all at once is crucial. There are valid arguments for both approaches, and the best path depends on your organization's specific email infrastructure, volume, and risk tolerance. My goal is to guide you through these considerations so you can make an informed decision for your domain.
DMARC policies dictate how recipient mail servers should handle emails that fail DMARC authentication. The three primary policies are p=none, p=quarantine, and p=reject. A p=none policy provides visibility into your email ecosystem through DMARC reports, which are crucial for identifying legitimate sending sources and misconfigurations. This phase is essential for understanding your current authentication landscape.
The transition to p=quarantine is about taking action. It instructs receiving mail servers to place emails failing DMARC into the recipient's junk or spam folder. This is a significant step in preventing spoofing and phishing attempts using your domain, as it directly impacts email delivery for unauthenticated messages. For more details on these policies, you can read our guide on when to use DMARC policies.
DMARC also includes the pct tag, which allows you to specify a percentage of unauthenticated emails that should be subjected to the DMARC policy. For instance, pct=10 would mean only 10% of failing emails are quarantined (or rejected, if p=reject is set). This tag is central to an incremental rollout strategy, as it provides a way to gradually increase enforcement. You can find a list of DMARC tags and their meanings in our guide.
The incremental approach
The incremental approach is generally considered the safer and more controlled method. It involves using the pct tag to slowly ramp up the percentage of emails subject to your p=quarantine policy. For example, you might start with pct=10, then move to pct=25, pct=50, and finally pct=100 (or remove the tag, as 100% is the default if pct is absent). This phased approach allows you to continuously monitor your DMARC reports for any unforeseen legitimate mail failures and adjust your SPF or DKIM records accordingly. Microsoft's guidance on DMARC setup steps suggests this gradual increase. We also have a dedicated guide on how to safely transition your DMARC policy.
The primary benefit of increments is risk mitigation. By slowly increasing enforcement, you minimize the chance of legitimate emails being sent to spam (or the junk folder). This is particularly important for organizations with complex email infrastructures, multiple sending services, or third-party senders. It provides ample opportunity to identify and correct any SPF or DKIM alignment issues. We have a guide on why changing DMARC policy might send emails to spam and how to fix it.
While beneficial, it's worth noting that some Mailbox Providers (MBPs) or Internet Service Providers (ISPs) may not always strictly adhere to the pct tag, especially at lower percentages. They might still apply their own internal filtering rules or treat your policy as 100% enforced based on other reputation factors. This makes continuous DMARC report monitoring even more critical. You can learn more about rolling out DMARC enforcement with care.
The all-at-once approach
Switching to p=quarantine all at once (setting pct=100 or removing the pct tag entirely) can be done, but it carries higher risks. This approach is typically only advisable for domains with small, well-controlled email sending environments where you are absolutely confident that all legitimate sending sources are correctly authenticated with SPF and DKIM and pass DMARC alignment checks. SonicWall's guide to DMARC record creation provides insights into initial DMARC setup.
The main advantage of an immediate switch is the accelerated deployment of DMARC enforcement. If you're under time pressure or have a very simple email setup, this can seem appealing. However, the potential downside is that any misconfigured legitimate email streams will immediately be impacted, leading to emails being quarantined, junked, or even potentially blocklisted (or blacklisted) by recipient mail servers. This can result in significant deliverability issues and disruptions to business communication.
Before considering an all-at-once switch, you must have rigorously analyzed your DMARC reports for a prolonged period, ideally several weeks or months. You should have a clear understanding of all your legitimate sending sources and be certain that they are consistently passing DMARC authentication. If there's any doubt, the incremental approach is always recommended. This will help you understand how DMARC policies affect sender reputation and delivery.
Key considerations before switching
Regardless of whether you choose an incremental or all-at-once transition, several critical factors must be in place to ensure a smooth switch to p=quarantine. Proper preparation will minimize disruptions and protect your email deliverability. A solid understanding of DMARC, SPF, and DKIM is foundational.
First, ensure all your legitimate email sending services are correctly configured for SPF and DKIM. This includes any third-party marketing platforms, transactional email services, and internal mail servers. Any legitimate email that fails SPF or DKIM and also fails DMARC alignment will be impacted by the p=quarantine policy. Use your DMARC reports to identify all sending IPs and domains, and then work to authenticate them properly. Consider our best practices for DMARC implementation.
Second, comprehensive DMARC reporting and analysis are non-negotiable. With p=none, you can safely identify issues. Once you move to p=quarantine, you need to know immediately if legitimate emails are being affected. Tools that provide easy-to-understand aggregate and forensic DMARC reports are invaluable. They allow you to pinpoint failures, identify unauthenticated senders, and troubleshoot any deliverability issues quickly. You can check our guide on understanding DMARC reports.
The importance of DMARC authentication
There's no concept of "warming" a DMARC policy like you would an IP address or a sending domain. Once the policy is published, recipient mail servers will apply it based on your domain's reputation and their own internal policies. This means that if you switch directly to "quarantine" and have unauthenticated legitimate senders, those emails will immediately be affected. Therefore, it's critical to have all your ducks in a row before making the change, whether incrementally or all at once. For more on email deliverability, see why your emails are going to spam and how to fix it.
Views from the trenches
Best practices
Always begin with a DMARC policy of p=none for a monitoring period of at least a few weeks to identify all legitimate sending sources and configurations.
Use aggregate DMARC reports (RUA) to gain full visibility into all email streams claiming to be from your domain, even those you weren't aware of.
Address all SPF and DKIM alignment issues for legitimate senders before changing your DMARC policy to enforcement.
If using the incremental approach, review DMARC reports thoroughly after each percentage increase to catch and correct any issues early.
Consider the impact of forwarded emails, as they can break SPF authentication and lead to DMARC failures, potentially causing legitimate emails to be quarantined.
Common pitfalls
Switching directly from p=none to p=quarantine without thorough monitoring, which can result in legitimate emails being incorrectly junked or blocked.
Not having a robust DMARC reporting tool in place to easily interpret aggregate (RUA) and forensic (RUF) reports, leading to blind spots.
Overlooking third-party email senders (like marketing platforms or CRM systems) that send email on behalf of your domain, leading to their emails failing DMARC.
Assuming that all mailbox providers (ISPs) will strictly adhere to the 'pct' tag, as some may enforce stricter policies based on other reputation factors.
Failing to educate internal teams about DMARC enforcement, leading to confusion or misdiagnosis of email delivery issues once quarantine is active.
Expert tips
Use the 'ruf' (forensic reporting) tag during the p=none phase for detailed insights into DMARC failures, but be cautious with privacy implications.
Set a dedicated email address for DMARC reports that is regularly monitored and managed, as reports can be voluminous.
Prioritize fixing DMARC alignment issues for high-volume or critical email streams first, as these will have the largest impact.
Even after moving to p=quarantine, continue to monitor DMARC reports regularly to catch new unauthenticated senders or changes in email behavior.
If implementing BIMI, a DMARC p=quarantine or p=reject policy at 100% enforcement is typically a prerequisite for logo display.
Expert view
Expert from Email Geeks says that DMARC has no
2022-01-13 - Email Geeks
Marketer view
Marketer from Email Geeks says that they would probably ease into it just to be safe, but they wanted to confirm the best practice.
2022-01-13 - Email Geeks
Strategic DMARC transition
In most scenarios, adopting an incremental approach when switching your DMARC configuration from "none" to "quarantine" is the most prudent strategy. It provides a safety net, allowing you to identify and resolve issues with legitimate email streams before they significantly impact deliverability. This phased rollout, leveraging the pct tag, ensures that your security posture improves without disrupting critical communications. You can also explore simple DMARC examples to start with p=none.
An all-at-once transition is only viable when you have an exceptionally clean and well-understood email sending environment, backed by extensive monitoring under a "none" policy. Regardless of the chosen path, continuous monitoring of DMARC reports and prompt resolution of authentication failures are paramount for successful DMARC implementation and maintaining strong email deliverability.
