Moving from p=none to p=quarantine or reject

Learn when and how to move DMARC from monitoring to enforcement, review reports, fix legitimate senders and avoid blocking real mail.

By CheckDomainHealth Editorial Team Reviewed by Dionis Ceban Updated Jun 28, 2026 9 min read Advanced

Introduction

p=none is the monitoring stage of DMARC. It lets you collect reports without asking receivers to quarantine or reject failing messages. Moving beyond p=none is an important step, but it should be done carefully.

Before changing to p=quarantine or p=reject, you should understand who sends mail for your domain, confirm that legitimate senders pass SPF or DKIM alignment, and review DMARC reports for unknown or misconfigured sources. Enforcement is powerful, but moving too quickly can block real business email.

Quick answer

Quick answer

Move from p=none only after reviewing DMARC reports and confirming legitimate senders pass SPF or DKIM alignment. A safe rollout usually starts with p=none, then p=quarantine, optionally with pct, and finally p=reject when reports show that valid mail is passing authentication.

DMARC enforcement

DMARC enforcement means using a policy that asks receiving mail servers to take action against messages that fail DMARC.

p=none

Monitor only. No enforcement requested.

p=quarantine

Ask receivers to treat failing mail as suspicious, often by placing it in spam or quarantine.

p=reject

Ask receivers to reject failing mail.

DMARC enforcement should happen after monitoring, not before authentication is understood.

When to move beyond p=none

It is safer to move beyond p=none when:

  • DMARC reports are being received and reviewed
  • All legitimate sending services are identified
  • SPF is valid and not duplicated
  • DKIM is enabled for key providers
  • Important senders pass DMARC alignment
  • Unknown sources have been investigated
  • Forwarding and third-party senders are understood
  • No important mail stream depends on unauthenticated sending
  • A rollback plan exists

If you are not sure who sends mail for the domain, stay at p=none while collecting more data.

Rollout path

  1. Step 1: Start with p=none

    Collect reports and identify legitimate senders.

  2. Step 2: Fix authentication

    Configure SPF, DKIM and alignment for known senders.

  3. Step 3: Move to p=quarantine

    Start enforcement by asking receivers to treat failing mail as suspicious.

  4. Step 4: Use pct if needed

    Optionally apply enforcement to a percentage of messages.

  5. Step 5: Move to p=reject

    Use reject only when legitimate mail is consistently passing DMARC.

  6. Step 6: Continue monitoring

    Keep reviewing DMARC reports after enforcement.

What pct means

The pct tag controls the percentage of messages affected by the DMARC policy.

Example
v=DMARC1; p=quarantine; pct=25; rua=mailto:dmarc@example.com

This asks receivers to apply the quarantine policy to 25% of messages that fail DMARC.

pct=25

Apply policy to part of failing traffic.

pct=50

Increase enforcement gradually.

pct=100

Apply policy to all failing traffic.

pct can help with gradual rollout, but not all receiver behavior is identical. It should not replace report review.

Why this matters

Why this matters

This matters because DMARC enforcement can reduce spoofing, but it can also expose hidden authentication problems. If legitimate senders are not aligned before enforcement, real emails may go to spam or be rejected.

p=reject is a strong policy. It should be treated like a production change, not a quick DNS edit.

How to check readiness

Use DMARC Checker to inspect your current policy, reporting addresses and alignment settings.

When checking readiness, review

These seven checks help confirm the domain is ready for enforcement.

Current policy

Confirm whether the domain uses p=none, p=quarantine or p=reject.

Reports

Confirm aggregate reports are arriving and being reviewed.

Legitimate senders

Identify mailbox providers, marketing tools, CRMs, transactional senders and website forms.

SPF alignment

Check whether SPF passes and aligns where needed.

DKIM alignment

Check whether DKIM passes and aligns for key providers.

Subdomains

Check whether subdomains send mail and whether sp is needed.

Rollback plan

Know how to return to p=none if legitimate mail is affected.

Check DMARC policy now

Use DMARC Checker to review your policy, reporting and alignment settings.

Run DMARC Check →

Common problems

Moving to reject too early

High

Legitimate senders may fail DMARC if SPF or DKIM alignment is not fixed first.

Next step: Return to p=none or p=quarantine while fixing sender authentication.

Reports not reviewed before enforcement

High

The domain owner may not know which providers send legitimate mail.

Next step: Collect and review aggregate reports before policy changes.

Third-party sender fails alignment

Medium

A CRM, newsletter tool or billing provider may send as your domain but fail DMARC alignment.

Next step: Enable custom DKIM or custom Return-Path where supported.

Website contact forms fail authentication

Medium

Forms may send directly from hosting without DKIM or aligned SPF.

Next step: Send forms through an authenticated SMTP or transactional provider.

Subdomain mail not considered

Medium

A subdomain may send mail independently and be affected by policy inheritance.

Next step: Review subdomain senders and configure sp or subdomain DMARC records.

pct misunderstood

Low

pct can help gradual rollout, but it does not replace report analysis.

Next step: Use pct only as part of a planned rollout.

No rollback plan

Medium

If mail is affected, there is no quick way to reduce enforcement.

Next step: Document the previous DMARC record and who can update DNS.

How to move safely

  1. Step 1: Collect reports with p=none

    Start by monitoring. Do not enforce until you understand normal sending patterns.

  2. Step 2: Inventory all senders

    List mailbox provider, CRM, marketing platform, transactional provider, website forms, billing system and helpdesk tools.

  3. Step 3: Fix SPF and DKIM alignment

    Enable custom DKIM and provider-recommended SPF or Return-Path settings.

  4. Step 4: Review unknown sources

    Classify unknown sources as legitimate, old systems, forwarding behavior or spoofing.

  5. Step 5: Move to p=quarantine first

    Use quarantine as an intermediate enforcement stage before reject.

  6. Step 6: Consider pct rollout

    If appropriate, start with pct=25 or pct=50 before full enforcement.

  7. Step 7: Monitor impact

    Watch reports, support tickets, bounce messages and business email flows.

  8. Step 8: Move to p=reject

    Use reject only after legitimate senders are stable and aligned.

  9. Step 9: Keep monitoring

    Continue reviewing DMARC reports after enforcement.

Enforcement examples

Monitoring
v=DMARC1; p=none; rua=mailto:dmarc@example.com
Start quarantine
v=DMARC1; p=quarantine; rua=mailto:dmarc@example.com
Partial quarantine
v=DMARC1; p=quarantine; pct=25; rua=mailto:dmarc@example.com
Full reject
v=DMARC1; p=reject; rua=mailto:dmarc@example.com
Subdomain policy example
v=DMARC1; p=reject; sp=quarantine; rua=mailto:dmarc@example.com
Check commands
dig _dmarc.example.com TXT
dig +short _dmarc.example.com TXT

These examples are illustrative. Do not move to quarantine or reject before reviewing legitimate senders and DMARC reports.

Rollback plan

Before changing DMARC enforcement, keep a rollback plan.

  • Current DMARC record
  • Previous DMARC record
  • DNS provider access
  • Person responsible for DNS changes
  • Monitoring mailbox or report service
  • List of key business senders
  • Support contact for email provider

If legitimate mail is affected, temporarily reducing policy from reject to quarantine or none may be necessary while fixing alignment.

Enforcement checklist

Before p=quarantine

Confirm these items before moving to quarantine.

Reports received

Aggregate reports are arriving and reviewed.

Legitimate senders identified

Known mail streams are documented.

DKIM enabled where possible

Key providers sign with aligned domains.

SPF valid

One SPF record, no duplicate or broken syntax.

Major senders align

Important sources pass DMARC alignment.

Unknown sources reviewed

Unrecognized IPs are classified.

Rollback plan ready

Previous policy and DNS access documented.

Before p=reject

Confirm these items before moving to reject.

Quarantine period reviewed

Enforcement impact observed during quarantine.

No major legitimate failures

Business mail passes authentication consistently.

Third-party senders aligned

CRM, marketing and transactional tools configured.

Subdomains reviewed

Subdomain mail and sp policy considered.

Reports still monitored

rua reporting remains active.

Support/bounce issues checked

No unexpected delivery problems reported.

Frequently asked questions

Should I start DMARC with p=reject?

Usually no. Start with p=none, review reports, fix legitimate senders, then move gradually to enforcement.

What is the difference between quarantine and reject?

quarantine asks receivers to treat failing mail as suspicious. reject asks receivers to reject failing mail.

What does pct do?

pct tells receivers what percentage of failing messages should be affected by the policy.

Can DMARC enforcement block legitimate email?

Yes, if legitimate senders do not pass SPF or DKIM alignment.

How long should I stay at p=none?

Long enough to collect meaningful reports and identify legitimate senders. The exact time depends on mail volume and complexity.

Should I use p=quarantine before p=reject?

For most domains, yes. Quarantine is a safer intermediate step before reject.

Can I roll back from reject?

Yes. You can change the DMARC policy back to quarantine or none while fixing legitimate sender issues.

Use these free tools to verify your configuration after applying changes.

Browse all Email Authentication guides →

Need help applying this fix?

Send us your domain, report link or issue details. CheckDomainHealth will review the request and route it to the right technical team if hands-on support is needed.

Get Help Run Domain Health Check

Was this guide helpful?

Your feedback helps us improve our guides for everyone.