Beta testing is now live. We are looking for beta testers - use the contact form to sign up.
DMARCHubDMARCHub
Using DMARC

DMARC policies: p=none, quarantine and reject

Updated 4 June 2026 · 5 min read

The DMARC policy, set with the p= tag in your DNS record, tells receivers what to do with mail that fails authentication. There are three values: none monitors without acting, quarantine sends failing mail to spam, and reject refuses it outright. The whole point of a DMARC rollout is to move through them in that order, using your reports to know when it is safe to advance.

p=none: monitor

With p=none, receivers take no action on failing mail but still send you reports. This is where everyone starts. It is safe - nothing gets blocked - but it offers no protection on its own. Its job is to show you every source sending as your domain so you can authenticate the legitimate ones.

p=quarantine: send to spam

With p=quarantine, mail that fails DMARC is delivered to the spam or junk folder rather than the inbox. This is the middle step. By the time you reach it, your own mail should already be passing, so the only thing being quarantined is mail you did not authorise.

p=reject: block

With p=reject, failing mail is refused during delivery and never reaches the recipient. This is the goal. Only at reject is your domain genuinely protected from being spoofed. Google and Yahoo's bulk sender rules expect you to be heading here, not sitting on none indefinitely.

Controlling the rollout with pct

The pct tag applies your policy to a percentage of failing messages. Setting pct=25 with p=quarantine quarantines a quarter of failures and leaves the rest at the lower policy. It lets you ramp enforcement up gradually and watch the reports for any legitimate mail caught by mistake before going to one hundred per cent.

A safe path to enforcement

Publish p=none and collect reports. Authenticate every legitimate sender until your real mail passes cleanly. Move to p=quarantine, optionally with a low pct, and watch for problems. Raise the percentage, then switch to p=reject. Done in this order, you reach full protection without ever blocking mail your recipients should receive.

Frequently asked questions

Is p=none enough?

No. p=none gives you reports but provides no protection - spoofed mail is still delivered. It is the starting point for monitoring, not the destination. Only reject actually stops spoofing of your domain.

How long should I stay on p=none?

Long enough to see a full cycle of your legitimate mail and authenticate every real sender - often a few weeks. Rushing to reject before your own mail passes cleanly is how legitimate email gets blocked.

What does pct do?

The pct tag applies your policy to a percentage of failing mail, so you can move to quarantine or reject gradually - for example pct=25 enforces on a quarter of failures. It lets you ramp up enforcement while watching the reports.

DMARCHub turns these reports into a clear picture, hosted in the UK.

See how DMARCHub helps