cd /news/cybersecurity/dmarc-p-none-vs-p-quarantine-vs-p-re… · home topics cybersecurity article
[ARTICLE · art-10752] src=dev.to ↗ pub= topic=cybersecurity verified=true sentiment=· neutral

DMARC p=none vs p=quarantine vs p=reject: what to use and when

The article explains the three DMARC policy options (p=none, p=quarantine, and p=reject) that control how receiving servers handle emails failing authentication from a domain. It recommends starting with p=none for monitoring, then progressing to p=reject once legitimate traffic is confirmed, as skipping directly to p=reject can accidentally block valid emails. The piece also notes that p=reject is the most secure option, used by major domains like Google and Microsoft to prevent spoofing.

read2 min views21 publishedMay 23, 2026

If you have set up DMARC on your domain, you have probably seen the p= tag and wondered what each value actually does. The difference matters a lot. The wrong policy can mean your legitimate emails get rejected, or that spoofed emails from your domain land in inboxes without any consequence. Here is what each policy does and how to decide which one to use. DMARC tells receiving mail servers what to do when an email claiming to be from your domain fails authentication. An email fails DMARC when it fails both SPF and DKIM alignment checks. The p= tag sets the policy for those failures. v=DMARC1; p=none; rua=mailto:dmarc@yourdomain.com This is the monitoring policy. When a message fails DMARC, nothing happens to it — it gets delivered normally. But you receive aggregate reports (via rua= ) showing you who is sending email from your domain and what is passing or failing. Use p=none when: p=none does not protect your domain from spoofing. Anyone can spoof your domain and the email will be delivered. The only benefit is visibility. v=DMARC1; p=reject; rua=mailto: Emails that fail DMARC are rejected outright. They do not arrive. The sending server gets a bounce. Use p=reject when: p=reject is the goal. It is what Google, Microsoft, and most large domains use. It is what blocks phishers from impersonating your brand. The standard path is: p=none and add an rua= address to receive reportsp=quarantine once you are confident in your legitimate trafficp=reject once you see no failures from legitimate sendersSkipping straight to p=reject without monitoring first is how organizations accidentally block their own transactional email. You can look up your current DMARC record and see exactly what policy you are running with InboxGreen's free DMARC checker. It will also flag any syntax issues and show you whether SPF and DKIM are passing alongside it. No login required.

── more in #cybersecurity 4 stories · sorted by recency
── more on @dmarc 3 stories trending now
sponsored brought to you by zahid.host 4,200+ EU-deployed projects
reading about agents? ship yours in a single git push.

Run your AI side-project on zahid.host

EU-based hosting, git-push deploys, automatic HTTPS, no cold starts. Free tier with a custom domain — perfect for shipping the agent you just read about.

$git push zahid main
Live at https://your-agent.zahid.host
Get free account → Pricing
from €0/mo · no card required
LIVE [news/dmarc-p-none-vs-p-qu…] indexed:0 read:2min 2026-05-23 ·