Back to Blog

Understanding DMARC: Reject vs. Quarantine Policies

Understanding DMARC: Reject vs. Quarantine Policies

DMARC (Domain-based Message Authentication, Reporting, and Conformance) is a powerful email authentication protocol designed to protect your domain from unauthorized use, commonly known as email spoofing.

When you configure DMARC, one of the most critical decisions is setting the policy (p=) tag. This tells receiving mail servers what to do with messages that fail authentication.

The Lifecycle of DMARC Policies

Organizations typically move through three stages of DMARC enforcement:

  • p=none (Monitoring Phase)
  • This policy tells receivers to take no action on messages that fail authentication, but to send reports. This is critical for understanding your email ecosystem without affecting deliverability.

2. p=quarantine (The Soft Landing) With quarantine, failing emails are sent directly to the recipient's spam or junk folder. This is a cautious step towards enforcement. It protects users while allowing you to catch false positives (legitimate emails failing auth).

3. p=reject (Full Enforcement) This is the ultimate goal. The receiving server outright drops the failing email at the SMTP level. The intended recipient never sees it. This blocks spoofing attacks dead in their tracks.

Making the Transition

Moving from none to reject requires thorough analysis of DMARC reports (RUA). You must ensure all legitimate senders (Marketing, CRM, HR tools) are properly authenticating with SPF or DKIM aligning with the From domain.

Don't rush to p=reject, but don't stay at p=none forever.