Moving from p=none to p=quarantine or reject
Learn when and how to move DMARC from monitoring to enforcement, review reports, fix legitimate senders and avoid blocking real mail.
Introduction
p=none is the monitoring stage of DMARC. It lets you collect reports without asking receivers to quarantine or reject failing messages. Moving beyond p=none is an important step, but it should be done carefully.
Before changing to p=quarantine or p=reject, you should understand who sends mail for your domain, confirm that legitimate senders pass SPF or DKIM alignment, and review DMARC reports for unknown or misconfigured sources. Enforcement is powerful, but moving too quickly can block real business email.
Quick answer
Move from p=none only after reviewing DMARC reports and confirming legitimate senders pass SPF or DKIM alignment. A safe rollout usually starts with p=none, then p=quarantine, optionally with pct, and finally p=reject when reports show that valid mail is passing authentication.
DMARC enforcement
DMARC enforcement means using a policy that asks receiving mail servers to take action against messages that fail DMARC.
p=none
Monitor only. No enforcement requested.
p=quarantine
Ask receivers to treat failing mail as suspicious, often by placing it in spam or quarantine.
p=reject
Ask receivers to reject failing mail.
DMARC enforcement should happen after monitoring, not before authentication is understood.
When to move beyond p=none
It is safer to move beyond p=none when:
- DMARC reports are being received and reviewed
- All legitimate sending services are identified
- SPF is valid and not duplicated
- DKIM is enabled for key providers
- Important senders pass DMARC alignment
- Unknown sources have been investigated
- Forwarding and third-party senders are understood
- No important mail stream depends on unauthenticated sending
- A rollback plan exists
If you are not sure who sends mail for the domain, stay at p=none while collecting more data.
Rollout path
-
Step 1: Start with p=none
Collect reports and identify legitimate senders.
-
Step 2: Fix authentication
Configure SPF, DKIM and alignment for known senders.
-
Step 3: Move to p=quarantine
Start enforcement by asking receivers to treat failing mail as suspicious.
-
Step 4: Use pct if needed
Optionally apply enforcement to a percentage of messages.
-
Step 5: Move to p=reject
Use reject only when legitimate mail is consistently passing DMARC.
-
Step 6: Continue monitoring
Keep reviewing DMARC reports after enforcement.
What pct means
The pct tag controls the percentage of messages affected by the DMARC policy.
v=DMARC1; p=quarantine; pct=25; rua=mailto:dmarc@example.com
This asks receivers to apply the quarantine policy to 25% of messages that fail DMARC.
pct=25
Apply policy to part of failing traffic.
pct=50
Increase enforcement gradually.
pct=100
Apply policy to all failing traffic.
pct can help with gradual rollout, but not all receiver behavior is identical. It should not replace report review.
Why this matters
This matters because DMARC enforcement can reduce spoofing, but it can also expose hidden authentication problems. If legitimate senders are not aligned before enforcement, real emails may go to spam or be rejected.
p=reject is a strong policy. It should be treated like a production change, not a quick DNS edit.
How to check readiness
Use DMARC Checker to inspect your current policy, reporting addresses and alignment settings.
When checking readiness, review
These seven checks help confirm the domain is ready for enforcement.
Current policy
Confirm whether the domain uses p=none, p=quarantine or p=reject.
Reports
Confirm aggregate reports are arriving and being reviewed.
Legitimate senders
Identify mailbox providers, marketing tools, CRMs, transactional senders and website forms.
SPF alignment
Check whether SPF passes and aligns where needed.
DKIM alignment
Check whether DKIM passes and aligns for key providers.
Subdomains
Check whether subdomains send mail and whether sp is needed.
Rollback plan
Know how to return to p=none if legitimate mail is affected.
Check DMARC policy now
Use DMARC Checker to review your policy, reporting and alignment settings.
Common problems
Moving to reject too early
HighLegitimate senders may fail DMARC if SPF or DKIM alignment is not fixed first.
Next step: Return to p=none or p=quarantine while fixing sender authentication.
Reports not reviewed before enforcement
HighThe domain owner may not know which providers send legitimate mail.
Next step: Collect and review aggregate reports before policy changes.
Third-party sender fails alignment
MediumA CRM, newsletter tool or billing provider may send as your domain but fail DMARC alignment.
Next step: Enable custom DKIM or custom Return-Path where supported.
Website contact forms fail authentication
MediumForms may send directly from hosting without DKIM or aligned SPF.
Next step: Send forms through an authenticated SMTP or transactional provider.
Subdomain mail not considered
MediumA subdomain may send mail independently and be affected by policy inheritance.
Next step: Review subdomain senders and configure sp or subdomain DMARC records.
pct misunderstood
Lowpct can help gradual rollout, but it does not replace report analysis.
Next step: Use pct only as part of a planned rollout.
No rollback plan
MediumIf mail is affected, there is no quick way to reduce enforcement.
Next step: Document the previous DMARC record and who can update DNS.
How to move safely
-
Step 1: Collect reports with p=none
Start by monitoring. Do not enforce until you understand normal sending patterns.
-
Step 2: Inventory all senders
List mailbox provider, CRM, marketing platform, transactional provider, website forms, billing system and helpdesk tools.
-
Step 3: Fix SPF and DKIM alignment
Enable custom DKIM and provider-recommended SPF or Return-Path settings.
-
Step 4: Review unknown sources
Classify unknown sources as legitimate, old systems, forwarding behavior or spoofing.
-
Step 5: Move to p=quarantine first
Use quarantine as an intermediate enforcement stage before reject.
-
Step 6: Consider pct rollout
If appropriate, start with pct=25 or pct=50 before full enforcement.
-
Step 7: Monitor impact
Watch reports, support tickets, bounce messages and business email flows.
-
Step 8: Move to p=reject
Use reject only after legitimate senders are stable and aligned.
-
Step 9: Keep monitoring
Continue reviewing DMARC reports after enforcement.
Enforcement examples
v=DMARC1; p=none; rua=mailto:dmarc@example.com
v=DMARC1; p=quarantine; rua=mailto:dmarc@example.com
v=DMARC1; p=quarantine; pct=25; rua=mailto:dmarc@example.com
v=DMARC1; p=reject; rua=mailto:dmarc@example.com
v=DMARC1; p=reject; sp=quarantine; rua=mailto:dmarc@example.com
dig _dmarc.example.com TXT
dig +short _dmarc.example.com TXT
These examples are illustrative. Do not move to quarantine or reject before reviewing legitimate senders and DMARC reports.
Rollback plan
Before changing DMARC enforcement, keep a rollback plan.
- Current DMARC record
- Previous DMARC record
- DNS provider access
- Person responsible for DNS changes
- Monitoring mailbox or report service
- List of key business senders
- Support contact for email provider
If legitimate mail is affected, temporarily reducing policy from reject to quarantine or none may be necessary while fixing alignment.
Enforcement checklist
Before p=quarantine
Confirm these items before moving to quarantine.
Reports received
Aggregate reports are arriving and reviewed.
Legitimate senders identified
Known mail streams are documented.
DKIM enabled where possible
Key providers sign with aligned domains.
SPF valid
One SPF record, no duplicate or broken syntax.
Major senders align
Important sources pass DMARC alignment.
Unknown sources reviewed
Unrecognized IPs are classified.
Rollback plan ready
Previous policy and DNS access documented.
Before p=reject
Confirm these items before moving to reject.
Quarantine period reviewed
Enforcement impact observed during quarantine.
No major legitimate failures
Business mail passes authentication consistently.
Third-party senders aligned
CRM, marketing and transactional tools configured.
Subdomains reviewed
Subdomain mail and sp policy considered.
Reports still monitored
rua reporting remains active.
Support/bounce issues checked
No unexpected delivery problems reported.
Frequently asked questions
Should I start DMARC with p=reject?
Usually no. Start with p=none, review reports, fix legitimate senders, then move gradually to enforcement.
What is the difference between quarantine and reject?
quarantine asks receivers to treat failing mail as suspicious. reject asks receivers to reject failing mail.
What does pct do?
pct tells receivers what percentage of failing messages should be affected by the policy.
Can DMARC enforcement block legitimate email?
Yes, if legitimate senders do not pass SPF or DKIM alignment.
How long should I stay at p=none?
Long enough to collect meaningful reports and identify legitimate senders. The exact time depends on mail volume and complexity.
Should I use p=quarantine before p=reject?
For most domains, yes. Quarantine is a safer intermediate step before reject.
Can I roll back from reject?
Yes. You can change the DMARC policy back to quarantine or none while fixing legitimate sender issues.
Related tools
Use these free tools to verify your configuration after applying changes.
Related guides
Browse all Email Authentication guides →Need help applying this fix?
Send us your domain, report link or issue details. CheckDomainHealth will review the request and route it to the right technical team if hands-on support is needed.
Was this guide helpful?
Your feedback helps us improve our guides for everyone.
Thanks for your feedback!