What is the difference between DMARC none, quarantine, and reject?

none monitors only and asks receivers to deliver failing mail normally while reporting on it. quarantine asks receivers to treat failures as suspicious, usually sending them to the spam folder. reject asks receivers to block failing mail outright so it never lands.

Should I start with p=reject?

No. Start at none to monitor your real senders through reports, move to quarantine once they pass, then reach reject last. Jumping straight to reject risks blocking legitimate mail you did not know about.

What does pct do in DMARC?

pct applies your policy to a percentage of failing mail rather than all of it, so you can roll out quarantine or reject gradually. For example p=quarantine; pct=20 enforces on roughly one fifth of failures.

DMARC Policies: none, quarantine, and reject

The DMARC p= tag has exactly three values, and they sit on a ladder from passive to strict: none watches and reports, quarantine diverts failures to spam, and reject refuses them at the door. Choosing the right one is less about which is best and more about where you are in your rollout. For how the tag fits into the wider record alongside SPF and DKIM, read Email authentication explained.

All three behaviors are defined in RFC 7489, the DMARC specification, which describes the policy as a request that receivers are asked to honor for mail failing authentication and alignment. The protocol is advisory, not mandatory, but the major mailbox providers act on it consistently. If you only know the three names and nothing else, the pillar overview at Email authentication explained gives you the context for why the policy exists at all.

What each policy actually instructs

Policy	What receivers do	When to use it
none	Deliver failing mail normally and send you reports	Day one, while you discover every legitimate sender
quarantine	Treat failures as suspicious, typically routing them to spam	After reports confirm your real mail passes
reject	Refuse failing mail outright so it is never delivered	Last, once enforcement causes no collateral damage

none is the monitoring state. It changes nothing about delivery; a spoofed message that fails still arrives. Its entire purpose is to switch on the reporting feedback loop so you can map who sends as your domain before you act. Treat it as reconnaissance, not a destination.

quarantine is the first real enforcement step. Receivers that honor it move failing mail to the spam or junk folder rather than the inbox. That is forgiving by design: if you misjudged a sender, the recipient can still fish the message out. It buys you a safety margin while you confirm the policy is not catching anything it should not.

reject is the end state. Failing mail is bounced or silently dropped before delivery, which is exactly what you want against spoofing, and exactly what hurts if a legitimate sender slips through. There is no spam folder to recover from. This is why reject is earned, not assumed.

The progression, in order

The recommended path is none then quarantine then reject, and the order is not decorative.

Publish p=none with an rua reporting address and leave it for one to two weeks. Read the aggregate reports until you recognize every sending source.
Switch to p=quarantine once those reports show your legitimate senders passing SPF or DKIM with alignment. Watch for a week or two more.
Move to p=reject only when quarantine has produced no surprises and your real mail flows untouched.

Use pct to ramp, not to leap

The pct tag lets you apply a policy to a fraction of failing mail instead of all of it. So p=quarantine; pct=25 enforces quarantine on roughly a quarter of failures and leaves the rest at the next-lower behavior. This is how cautious teams ease into enforcement: start at a low percentage, watch the reports, raise it. Step it up as confidence grows: 25, then 50, then 100, before changing the policy word itself. One caveat worth remembering: pct is a sampling request, and some receivers apply it loosely, so treat it as a dial rather than a precise valve.

Do not forget subdomains with sp

By default your p= policy also covers subdomains, but you can override that with the sp= tag. This matters because attackers love spoofing subdomains you never send from, like mail.yourdomain.example or invented ones. A common pattern is to keep the organizational domain forgiving while locking subdomains down hard, for example p=quarantine; sp=reject, since you rarely have legitimate subdomain senders to protect. If you do send from subdomains, map them in your reports first, the same way you mapped the parent domain.

Why jumping to reject too early backfires

The single most common DMARC mistake is publishing p=reject before monitoring. The damage is invisible until it is not: a payroll provider, a calendar invite service, a marketing platform you set up years ago, any one of them can fail alignment and have its mail bounced with no warning to you. Recipients simply never receive it, and you find out when someone complains. The reports you would have read at none are precisely what would have caught it. Patience here costs you a couple of weeks; impatience can cost you mail you cannot get back.

For why authenticated mail can still land in spam even after you tune all this, see why your email goes to spam, and for the full anatomy of the record and its tags, DMARC explained.

Not sure which policy your domain publishes right now? Check any domain's live DMARC record free at domainintel.app and confirm where you sit on the ladder before you tighten it.