{"slug": "dmarc-p-none-vs-p-quarantine-vs-p-reject-what-to-use-and-when", "title": "DMARC p=none vs p=quarantine vs p=reject: what to use and when", "summary": "The article explains the three DMARC policy options (p=none, p=quarantine, and p=reject) that control how receiving servers handle emails failing authentication from a domain. It recommends starting with p=none for monitoring, then progressing to p=reject once legitimate traffic is confirmed, as skipping directly to p=reject can accidentally block valid emails. The piece also notes that p=reject is the most secure option, used by major domains like Google and Microsoft to prevent spoofing.", "body_md": "If you have set up DMARC on your domain, you have probably seen the p=\ntag and wondered what each value actually does. The difference matters a lot. The wrong policy can mean your legitimate emails get rejected, or that spoofed emails from your domain land in inboxes without any consequence.\nHere is what each policy does and how to decide which one to use.\nDMARC tells receiving mail servers what to do when an email claiming to be from your domain fails authentication. An email fails DMARC when it fails both SPF and DKIM alignment checks.\nThe p=\ntag sets the policy for those failures.\nv=DMARC1; p=none; rua=mailto:dmarc@yourdomain.com\nThis is the monitoring policy. When a message fails DMARC, nothing happens to it — it gets delivered normally. But you receive aggregate reports (via rua=\n) showing you who is sending email from your domain and what is passing or failing.\nUse p=none\nwhen:\np=none\ndoes not protect your domain from spoofing. Anyone can spoof your domain and the email will be delivered. The only benefit is visibility.\nv=DMARC1; p=reject; rua=mailto:\nEmails that fail DMARC are rejected outright. They do not arrive. The sending server gets a bounce.\nUse p=reject\nwhen:\np=reject\nis the goal. It is what Google, Microsoft, and most large domains use. It is what blocks phishers from impersonating your brand.\nThe standard path is:\np=none\nand add an rua=\naddress to receive reportsp=quarantine\nonce you are confident in your legitimate trafficp=reject\nonce you see no failures from legitimate sendersSkipping straight to p=reject\nwithout monitoring first is how organizations accidentally block their own transactional email.\nYou can look up your current DMARC record and see exactly what policy you are running with InboxGreen's free DMARC checker. It will also flag any syntax issues and show you whether SPF and DKIM are passing alongside it.\nNo login required.", "url": "https://wpnews.pro/news/dmarc-p-none-vs-p-quarantine-vs-p-reject-what-to-use-and-when", "canonical_source": "https://dev.to/inboxgreen/dmarc-pnone-vs-pquarantine-vs-preject-what-to-use-and-when-51kd", "published_at": "2026-05-23 04:42:27+00:00", "updated_at": "2026-05-23 05:36:58.016567+00:00", "lang": "en", "topics": ["cybersecurity"], "entities": ["DMARC", "SPF", "DKIM", "Google", "Microsoft"], "alternates": {"html": "https://wpnews.pro/news/dmarc-p-none-vs-p-quarantine-vs-p-reject-what-to-use-and-when", "markdown": "https://wpnews.pro/news/dmarc-p-none-vs-p-quarantine-vs-p-reject-what-to-use-and-when.md", "text": "https://wpnews.pro/news/dmarc-p-none-vs-p-quarantine-vs-p-reject-what-to-use-and-when.txt", "jsonld": "https://wpnews.pro/news/dmarc-p-none-vs-p-quarantine-vs-p-reject-what-to-use-and-when.jsonld"}}