How long should I stay at p=none?

There is no fixed timeline. It depends entirely on the complexity of your email ecosystem. You should stay at p=none until your DMARC reports consistently show no new legitimate sending sources and all known sources are passing authentication. This takes a few weeks for a simple setup or several months for a large organization.

What if I see legitimate emails being quarantined?

If you see legitimate emails being quarantined, it means that sending source is not correctly configured for SPF and/or DKIM alignment. You should not move to a higher percentage or to p=reject . Instead, investigate the source in your DMARC reports, fix its authentication configuration, and continue monitoring until it passes DMARC checks consistently.

Can I have different policies for my main domain and subdomains?

Yes, you can. You can have a reject policy for your main domain and a different policy, like quarantine, for subdomains using the 'sp' tag. For example, v=DMARC1; p=reject; sp=quarantine; enforces reject for your root domain but only quarantine for all subdomains. This is useful if you are less certain about all the email sent from various subdomains.

Is it mandatory to move to p=reject?

While it is the ultimate goal for maximum security, some organizations choose to stay at p=quarantine long-term. This is often a business decision where the risk of ever blocking a single legitimate email outweighs the risk of a spoofed email landing in a spam folder. However, for the best protection, moving to p=reject is highly recommended.

How to safely transition your DMARC policy to quarantine or reject - DMARC - Learn

An illustration of a safe phased path forward.

Setting up a DMARC record is a fantastic first step towards securing your email domain. It tells the world you are serious about protecting your brand from phishing and spoofing. But creating a DMARC record with a policy of 'none' is just the beginning of the journey. The real security benefits come when you confidently move to a policy of 'quarantine' or, even better, 'reject'. This is where many people get stuck, worried they will accidentally block their own legitimate emails.

That fear is understandable, but it does not have to be a blocker. Transitioning your DMARC policy is a process that, when done carefully and methodically, is perfectly safe. It is a gradual, data-driven approach. The following exact steps safely transition your DMARC policy out of a passive monitoring state and into a powerful enforcement policy, ensuring your legitimate mail keeps flowing while illegitimate mail gets stopped.

First, a quick policy recap

Before starting the transition process, let's quickly review what the different DMARC policies actually do. A DMARC policy instructs receiving mail servers on how to handle emails that claim to be from your domain but fail SPF and/or DKIM authentication checks.

The three DMARC policies

p=none (Monitoring)dns

v=DMARC1; p=none; rua=mailto:reports@yourdomain.com;

p=quarantine (Spam Folder)dns

v=DMARC1; p=quarantine; rua=mailto:reports@yourdomain.com;

p=reject (Block)dns

v=DMARC1; p=reject; rua=mailto:reports@yourdomain.com;

Policy breakdown

The p=none policy is the monitoring or 'report-only' mode. It has no impact on email delivery. It simply asks receivers to send you reports about your email traffic, which is crucial for the initial analysis phase.

The p=quarantine policy asks receivers to treat unauthenticated emails as suspicious. Most will place these messages in the recipient's spam or junk folder. It is a lenient transitional policy that reduces the risk of outright blocking legitimate mail.

The p=reject policy is the strongest policy. It instructs receivers to completely block any emails that fail DMARC checks. This offers the best protection against spoofing but requires complete confidence in your email authentication setup.

The entire process relies on starting with p=none. This phase is all about gathering data. By including a rua tag in your record, you will start receiving aggregate reports. These reports are XML files that detail which servers are sending email on behalf of your domain and whether those emails are passing or failing authentication checks. This information is the bedrock of your transition plan.

A minimalist retro illustration of a person looking at data reports on a computer screen.

Phase 1: Monitor and analyze with p=none

Your first DMARC record should always start with a monitoring policy. This allows you to collect data without any risk to your email delivery. The goal here is to get a complete picture of your entire email ecosystem. You need to identify every single service and server that sends email for your domain, including your primary mail provider like Google Workspace or Microsoft 365, alongside third-party services like marketing platforms, CRMs, and customer support tools.

You should let this monitoring phase run for at least a couple of weeks, but often longer. The duration isn't about a set number of days; it's about reaching a point where you are no longer discovering new, legitimate sending sources in your DMARC reports. For businesses with complex email setups, this takes a month or more. During this time, your job is to analyze the reports and ensure every legitimate source is properly configured with SPF and/or DKIM so that it passes DMARC.

Once your DMARC reports show that nearly all of your legitimate mail is passing DMARC checks, and you understand the source of any remaining failures, you are ready to consider moving to the next phase. Do not rush this; moving on too early is the most common mistake people make.

Phase 2: Transition to p=quarantine

Now that you are confident in your analysis, it's time to dip your toes in the water of enforcement. Instead of jumping straight to a full quarantine policy, we will use a powerful but often overlooked tool: the percentage tag (pct). This tag lets you apply your policy to only a small percentage of failing emails, giving you a safe way to test the waters.

DMARC Record with p=quarantine and pct=5dns

v=DMARC1; p=quarantine; pct=5; rua=mailto:reports@yourdomain.com;

This record tells receivers to apply the quarantine policy to just 5% of emails that fail DMARC. The other 95% will be treated as if the policy was p=none.

By starting with a low percentage, you can monitor your reports and ensure no legitimate mail is being unexpectedly sent to spam. It is a safety net. If you see any problems, you can quickly revert the change or fix the underlying authentication issue for that sending source without having caused a major delivery problem. As you gain confidence, you can gradually increase your DMARC record percentage.

Start at p=quarantine; pct=5
After a week of clean reports, move to pct=25
After another successful week, increase to pct=50
Finally, move to pct=100 (or simply p=quarantine, as 100 is the default if the tag is omitted).

A minimalist retro illustration of a toggle switch being moved from an off position to an on position.

Phase 3: Enforcing p=reject for maximum protection

Once you have been running at a full quarantine policy for a while with no issues, you can prepare for the final step: moving to p=reject. The difference between quarantine and reject is significant; a quarantine policy will allow a malicious email into a spam folder, but a reject policy stops it from being delivered at all. This is the ultimate goal for domain security.

Just like the move to quarantine, the switch to reject should be done gradually using the percentage tag. You can follow the exact same incremental process you used before. Start with p=reject; pct=5, monitor your reports, and slowly work your way up to 100%. This methodical approach minimizes risk and gives you multiple opportunities to catch any potential problems before they have a widespread impact.

p=quarantine

Impact

Failing mail is sent to the spam/junk folder. Delivery is not blocked, reducing the risk of lost legitimate messages if a source is misconfigured. It is a safety net during the transition.

Security level

Offers good protection by filtering suspicious mail away from the primary inbox, reducing the chances of a user interacting with a phishing attempt.

p=reject

Impact

Failing mail is blocked entirely and never reaches the recipient's mailbox. This is the most secure option but carries a higher risk if legitimate senders are not fully authenticated.

Security level

Provides the maximum level of protection against domain spoofing and direct phishing attacks, as malicious emails are prevented from being delivered at all.

Transitioning your DMARC policy is a marathon, not a sprint. By following this phased approach, progressing through monitoring, quarantining, and rejecting, you can significantly bolster your email security without disrupting your business operations. Each step is built on the data and confidence gained in the previous one.

Remember, DMARC isn't a 'set and forget' protocol. Even after you reach p=reject, you should continue to monitor your reports. New sending services are added over time, and you will need to ensure they are properly authenticated. Staying vigilant is the key to maintaining long-term domain security.

Frequently asked questions

0.0

What's your domain score?

Deep-scan SPF, DKIM & DMARC records for email deliverability and security issues.

Suped

How to safely transition your DMARC policy to quarantine or reject

First, a quick policy recap

The three DMARC policies

Policy breakdown

Phase 1: Monitor and analyze with p=none

Phase 2: Transition to p=quarantine

Phase 3: Enforcing p=reject for maximum protection

p=quarantine

Impact

Security level

p=reject

Impact

Security level

Frequently asked questions

What's your domain score?

On this page

Start monitoring your DMARC reports today

What you'll get with Suped

Suped