### [DMARC Policy Explained: None, Quarantine, and Reject](https://wpmailsmtp.com/dmarc-policy-none-quarantine-and-reject/)

**Published:** July 9, 2026
**Author:** Rachel Adnyana

**Excerpt:** A DMARC policy tells receiving servers what to do with emails that fail authentication. Here's exactly what p=none, p=quarantine, and p=reject each do, the record syntax for all three, and a realistic timeline for moving from monitoring to full enforcement.

**Content:**

A DMARC policy is the instruction in your DMARC record that tells receiving mail servers what to do with emails that fail authentication. There are three options: **none** (monitor only), **quarantine** (send to spam), and **reject** (block entirely). This single tag, written as `p=` in your DNS record, is the difference between DMARC that just watches your email traffic and DMARC that actually stops spoofed messages from reaching an inbox.

If you already have a DMARC record, the policy is easy to find. It sits right after `p=` in the record:

```

v=DMARC1; p=quarantine; rua=mailto:dmarc@yourdomain.com

```

In this example, the policy is `quarantine`. Below, I’ll break down what each of the three policies does, show you the exact record syntax for each, and lay out a realistic timeline for moving from monitoring to full enforcement.

- [Do you already have a DMARC policy set?](#aioseo-do-you-already-have-a-dmarc-policy-set-5)
- [None vs. quarantine vs. reject at a glance](#aioseo-none-vs-quarantine-vs-reject-at-a-glance-15)
- [p=none: monitoring without enforcement](#aioseo-pnone-monitoring-without-enforcement-17)
- [p=quarantine: the transitional enforcement policy](#aioseo-pquarantine-the-transitional-enforcement-policy-31)
- [p=reject: full enforcement](#aioseo-preject-full-enforcement-40)
- [The pct and sp tags](#aioseo-the-pct-and-sp-tags-48)
- [How long the move from none to reject actually takes](#aioseo-how-long-the-move-from-none-to-reject-actually-takes-56)
- [Common mistakes to avoid](#aioseo-common-mistakes-to-avoid-64)
- [FAQ](#aioseo-faq-71)

## Do you already have a DMARC policy set?

If you’re not sure whether your domain has a DMARC record at all, or what policy it’s using, that’s the first thing to check before any of this matters.

The easiest way is a free DMARC lookup tool like [MXToolbox](https://mxtoolbox.com/dmarc.aspx). Enter your domain, and it will show you the full record, including the `p=` value, if one exists. You’ll see one of three things:

- **No DMARC record found.** Your domain has no policy at all, meaning anyone can spoof your domain in emails with no consequence.
- **A record with p=none.** DMARC is set up in monitoring mode, but not enforcing anything yet.
- **A record with p=quarantine or p=reject.** DMARC is actively enforcing a policy.

If nothing shows up, you’ll need to create a DMARC record before a policy applies to you at all. I’ve written a full walkthrough, with screenshots for adding the record through your DNS provider, in [how to create a DMARC record](https://wpmailsmtp.com/how-to-create-dmarc-record/). That guide covers where DNS records live (your host, registrar, or CDN), the exact fields to fill in, and how to confirm the record is live once you’ve published it.

While you’re checking, it’s also worth confirming that your WordPress site’s own outgoing mail is set up to pass SPF and DKIM in the first place. [WP Mail SMTP](https://wpmailsmtp.com/) shows you the authentication status of every email your site sends, so you’re not guessing at whether your own site is one of the sources DMARC is about to flag.

[Fix Your WordPress Emails Now](https://wpmailsmtp.com/pricing/)

![Check DMARC Record](https://wpmailsmtp.com/wp-content/uploads/2024/09/dmarc-record-check-1024x597.png)The rest of this post assumes you either have a record already or have just created one, and want to understand which policy to choose and when to change it.

## None vs. quarantine vs. reject at a glance

**p=none****p=quarantine****p=reject****What happens to failing mail**Delivered normallySent to spam/junkBlocked before delivery**Protection level**None (monitoring only)PartialFull**Deliverability risk if misconfigured**NoneLegitimate mail may hit spamLegitimate mail may bounce**Best used when**Starting out, mapping sendersSenders mostly verified, testing enforcementAll senders confirmed passing**Reports still sent?**YesYesYes## p=none: monitoring without enforcement

**p=none** is the starting policy for every domain publishing DMARC for the first time. It tells receiving servers to take no action on emails that fail authentication. Failing messages are still delivered exactly as they would be without DMARC. The only thing that changes is that you start receiving aggregate reports showing which sources are sending email as your domain and whether they’re passing SPF and DKIM.

```

v=DMARC1; p=none; rua=mailto:dmarc@yourdomain.com

```

**What p=none does:**

- Generates visibility into every server sending mail on behalf of your domain
- Has zero impact on deliverability, since no enforcement action is taken
- Requires no prior SPF or DKIM setup to publish

**What p=none does not do:**

- Stop phishing or spoofing attempts using your domain
- Protect your brand or your recipients in any way
- Serve as a valid long-term policy

A domain sitting at p=none indefinitely has a DMARC record but no actual protection. This is the most common mistake in DMARC deployments: treating monitoring as the finish line instead of the first step.

## p=quarantine: the transitional enforcement policy

**p=quarantine** instructs receiving servers to treat failing messages with suspicion, typically by routing them to the recipient’s spam or junk folder instead of the inbox. The email isn’t blocked outright. It still arrives, just not where it normally would.

```

v=DMARC1; p=quarantine; rua=mailto:dmarc@yourdomain.com

```

Exactly how “quarantine” is handled varies slightly by mail provider. Some flag the message as suspicious rather than moving it. Most, including Gmail and Outlook, send it to spam. Either way, the practical effect is the same: legitimate mail that fails authentication becomes harder for the recipient to see, which is why quarantine should only be set once you’re confident that all your known senders are properly configured.

**Why domains use quarantine as a middle step:**

- **It catches misconfigurations before they become bounces.** If a legitimate sender starts failing DMARC, the email lands in spam instead of disappearing entirely. You can catch the problem and fix it.
- **It builds confidence for reject.** Watching quarantine run cleanly for a few weeks is the clearest signal that you’re ready for full enforcement.
- **It can be applied gradually.** The `pct` tag lets you quarantine only a percentage of failing mail at first (more on this below).

## p=reject: full enforcement

**p=reject** is the strictest policy. It instructs receiving servers to block emails that fail DMARC authentication before they’re delivered at all. No inbox, no spam folder. The message is refused.

```

v=DMARC1; p=reject; rua=mailto:dmarc@yourdomain.com

```

There are two common ways receiving servers implement reject:

- **Refusing at the SMTP connection.** The receiving server rejects the message during the initial connection, before it’s fully accepted. This is the more widely used method and the one recommended by most mail providers.
- **Accepting, then dropping.** The server accepts the message and then discards it silently or bounces it back to the sender. This happens less often but is still valid per the DMARC spec.

Reject is the end goal of any serious DMARC deployment. It’s also the policy where mistakes are the most visible. If a legitimate sender hasn’t been authenticated correctly, their mail won’t land in spam where it can be found. It simply won’t arrive, and there’s no soft failure to alert you.

## The pct and sp tags

Two additional tags let you control how a policy is applied, and both are worth knowing before you move past p=none.

**`pct` controls what percentage of failing mail gets the policy.** Rather than jumping straight to 100% enforcement, you can apply quarantine or reject to a smaller slice of failing traffic first.

```

v=DMARC1; p=quarantine; pct=25; rua=mailto:dmarc@yourdomain.com

```

Messages outside that percentage are treated as if the policy were still p=none. This gives you a gradual ramp instead of an all-or-nothing switch, and it’s the safest way to move into enforcement if you’re not fully confident every sender is accounted for.

**`sp` sets a separate policy for subdomains.** Without it, subdomains inherit whatever policy you set for the main domain.

```

v=DMARC1; p=reject; sp=quarantine; rua=mailto:dmarc@yourdomain.com

```

This example enforces reject on the root domain while giving subdomains a softer quarantine policy, useful if a subdomain is managed by a different team or hasn’t been fully authenticated yet. Skipping this tag is a common gap: a domain can be fully locked down at p=reject while an unmonitored subdomain remains wide open to spoofing.

## How long the move from none to reject actually takes

There’s no fixed timeline in the DMARC spec, but rushing the rollout is the most common way legitimate email gets blocked. A defensible, commonly recommended pace looks like this:

- **Stay at p=none for at least 2 to 4 weeks**, and longer if your domain sends through several third-party tools (marketing platforms, CRMs, helpdesk software, invoicing tools). Use this window to review aggregate reports and confirm every legitimate sender is passing SPF or DKIM.
- **Move to p=quarantine once known senders are clean**, starting with a low `pct` value like 25 and increasing it as reports stay clear of legitimate traffic getting caught.
- **Advance to p=reject only after quarantine has run at 100% with no legitimate mail affected.** Most domains reach this stage anywhere from a few months to about a year after starting, depending on how many sending sources they need to authenticate.

![DMARC policy diagram showing three stages: p=none (monitoring), p=quarantine (partial enforcement), p=reject (full enforcement).](https://wpmailsmtp.com/wp-content/uploads/2026/07/dmarc-policy-escalation.png)Skipping steps is where most DMARC rollouts go wrong. A domain with a single email provider might move quickly. A domain sending through a dozen marketing, support, and transactional tools needs more time, because every one of those sources has to pass authentication before enforcement is safe.

## Common mistakes to avoid

- **Jumping straight to reject.** Publishing p=reject before confirming every legitimate sender is authenticated will bounce real email, sometimes without any warning.
- **Never leaving p=none.** A DMARC record with no enforcement policy provides visibility but no actual protection against spoofing.
- **Forgetting subdomains.** If `sp` isn’t set, an attacker can target a subdomain that hasn’t been locked down, even if the main domain is fully enforced.
- **Skipping the ramp.** Going from p=none to 100% reject in one step is riskier than stepping through `pct` values gradually.
- **Not re-checking after adding new senders.** A new marketing tool or transactional email service needs to pass SPF or DKIM before it’s added to your sending mix, or it will start failing DMARC the moment enforcement is active.

Skipping steps is where most DMARC rollouts go wrong. A domain with a single email provider might move quickly. A domain sending through a dozen marketing, support, and transactional tools needs more time, because every one of those sources has to pass authentication before enforcement is safe.

If your WordPress site is one of those sending sources, it’s worth checking early. WordPress’s default mail function sends through PHP mail() or whatever the server happens to be configured to use, which often fails SPF and DKIM alignment even when the rest of your domain is set up correctly. WP Mail SMTP routes WordPress mail through an authenticated SMTP connection instead, so your site’s own emails don’t become the one sender holding up your move to quarantine or reject.

[Fix Your WordPress Emails Now](https://wpmailsmtp.com/pricing/)

## FAQ

**What does DMARC p=none mean?** p=none means DMARC is in monitoring mode. Emails that fail authentication are still delivered normally, but you receive reports showing which sources are sending email as your domain and whether they’re passing checks.

**What’s the difference between DMARC quarantine and reject?** Quarantine sends failing emails to the recipient’s spam folder, so they’re still delivered but harder to see. Reject blocks failing emails before delivery, so they never arrive at all, not even in spam.

**How long should you stay on p=none?** At least 2 to 4 weeks, though domains with several third-party senders often need longer to confirm every source is properly authenticated before moving to enforcement.

**Does a DMARC policy affect deliverability?** p=none has no effect on deliverability. p=quarantine and p=reject can affect deliverability if any legitimate sender hasn’t been authenticated correctly, which is why both should only be applied gradually and after monitoring confirms your senders are clean.

## Next, Create a DMARC Record

Once you know which policy fits where you are in the rollout, publishing the record correctly matters just as much as choosing the right one. My guide on [how to create a DMARC record](https://wpmailsmtp.com/how-to-create-dmarc-record/) walks through adding the exact syntax to your DNS, step by step, so there’s no risk of a typo breaking your enforcement.

Ready to fix your emails? [Get started today](https://wpmailsmtp.com/pricing) with the best WordPress SMTP plugin. If you don’t have the time to fix your emails, you can get full White Glove Setup assistance as an extra purchase, and there’s a 14-day money-back guarantee for all paid plans.

If this article helped you out, please follow us on [Facebook](https://facebook.com/wpmailsmtp) and [Twitter](https://twitter.com/wpmailsmtp) for more WordPress tips and tutorials.

**Categories:** Uncategorized

---

