When should I move to p=quarantine or p=reject?

Still have a question, spotted an error, or have a better explanation or a source we should cite?

There's a common mistake here: people move to enforcement because they feel ready, not because the data says they are. Your DMARC aggregate reports (RUA) are the only reliable signal for when it's actually time to move.

The signal you're looking for: nearly all of your legitimate sending sources are passing DMARC alignment in your RUA data. Not most of them. All of them. Your marketing ESP, your transactional provider, your CRM, any automation tools: all showing consistent pass results, week after week.

Before moving to p=quarantine, check these:

  • Every service that sends on your behalf is authenticated and aligned in the reports.
  • No mystery IP addresses are appearing that you can't identify and explain.
  • SPF and DKIM are both configured. DMARC only needs one to pass, but having both means you're covered if one breaks temporarily.

Once you're at quarantine and nothing's breaking after a few weeks of RUA data, you can move to p=reject. The risk of moving too early: legitimate emails go to spam or get rejected outright. That's especially painful for automated mail (password resets, invoices, shipping confirmations) that you may have forgotten to authenticate.

So if If you want a second pair of eyes on your RUA data before making the call, the SOS hotline is free.

Contributors

Who worked on this answer

Every name links to their profile. Every company links to their site. Real people, real accountability.

Ask an AI · tailored to your setup

Get a recommendation based on what your DMARC reports are showing.

I'm trying to figure out if I'm ready to move my DMARC policy from p=none to p=quarantine (or from quarantine to p=reject). I need help reading the signals from my setup. My details: - My current DMARC policy: none / quarantine / reject - How long I've had DMARC set up: e.g. 3 weeks, 2 months - What my RUA reports show: [describe what you're seeing: which IPs are passing, which are failing, anything unexpected] - Services that send on my behalf: list all: ESP, CRM, transactional, helpdesk, etc. - Do any of those services show up as failing in your reports?: yes/no, which ones - Any mystery IPs in your reports you can't identify?: yes/no - Sending volume: e.g. 5,000/month or 500/day - Domain: your sending domain Based on this, am I ready to move to the next enforcement stage? What should I fix first if not? And what's the safest way to make the change?

Edit the yellow boxes, then send to the AI of your choice.