When to move from p=none to quarantine or reject
Readiness checks before changing DMARC policy: reports flowing, senders identified, high alignment, no unknown meaningful-volume sources.
p=none is a monitoring-only policy. It tells receivers to collect and report data about your domain's email, but take no action on messages that fail DMARC. Moving to p=quarantine or p=reject changes that: receivers will start filtering or refusing mail that can't be authenticated.
Getting there prematurely breaks legitimate email. Getting there too slowly leaves your domain open to spoofing. Here's how to know when you're ready.
What p=none actually does
With p=none, every message gets delivered regardless of DMARC result. Receivers still evaluate alignment and send you aggregate reports, which is exactly what you want during the monitoring phase. Nothing breaks, and you accumulate data about who's sending on behalf of your domain.
p=none does not protect your domain from spoofing. A bad actor can send messages claiming to be from yourdomain.com and receivers will deliver them. The policy tells receivers you don't want enforcement yet.
The readiness checklist
Before moving to p=quarantine or p=reject, all of these should be true:
Reports have been flowing for at least 2-4 weeks. A few days of data isn't enough. You need enough history to see all your regular sending patterns, including low-frequency sends like monthly billing emails or quarterly newsletters.
Every expected sender is identified. Go through your sending sources in DMARCdrift. For each source you recognize, confirm it's properly authenticated (DKIM aligned or SPF aligned). For any source you don't recognize, investigate before enforcing.
Alignment rate is consistently high. "Consistently" means across multiple report periods, not just the last one. Look for 95%+ alignment across all your identified sending services. If you're at 80%, something is misconfigured.
No unknown sources sending meaningful volume. A handful of messages from an unrecognized source could be a probe. Thousands could be active spoofing. Either way, understand what it is before enforcing. If you enforce with an active unknown source, you're relying on p=reject to handle it — which works, but you should make that choice deliberately.
DKIM is configured for every significant sending service. SPF alignment breaks for forwarded mail; DKIM doesn't. Before enforcing, make sure your critical senders (transactional email, newsletters, internal tools) all have DKIM set up and aligned. Check the email authentication tool to verify.
Moving to quarantine first
p=quarantine sends unauthenticated messages to spam rather than rejecting them outright. It's a useful intermediate step because:
- Legitimate mail that fails alignment lands in spam rather than bouncing, giving you a chance to catch misconfigured senders
- You can observe the impact before committing to full rejection
- Some senders (mailing lists, legacy systems) may have alignment issues you didn't anticipate
Stay at quarantine for a week or two and watch your alignment data. If you see legitimate senders failing and landing in spam, fix their configuration before moving to reject.
Moving to reject
p=reject is the end state. Receivers refuse to deliver messages that fail DMARC entirely. This is the strongest protection against spoofing and the signal that tells the world your domain is properly configured.
Move to reject when:
- You've been at quarantine with no unexpected failures
- Your alignment rate across all senders is at or near 100%
- You've investigated and resolved every unknown source
How to roll back if something breaks
If you move to quarantine or reject and discover legitimate mail is failing, roll back by lowering the policy in your DMARC record:
_dmarc.yourdomain.com TXT "v=DMARC1; p=none; rua=..."DNS propagation takes up to 48 hours, so affected mail may continue to be filtered or rejected during that window. For critical transactional email (password resets, receipts), fix the underlying authentication issue rather than rolling back if at all possible — bounced transactional email has an immediate user impact that's worse than the spoofing risk.
See also: DMARC record reference: all DMARC record tags including p=, sp=, and pct=. What your DMARC alignment rate means: how to read alignment trends in DMARCdrift before enforcing.