A DMARC quarantine policy (p=quarantine) instructs receiving email servers to treat messages that fail SPF or DKIM authentication with suspicion. Instead of outright blocking and deleting the failed email, the receiving server will accept it but route it directly to the recipient's Spam or Junk folder to protect them from potential phishing attacks.
The DMARC Policy Spectrum
DMARC offers three enforcement levels:
| | What Happens to Failing Mail |
| | Delivered normally, reports sent to you |
| | Sent to recipient's spam/junk folder |
| | Blocked and deleted before delivery |
p=none: You watch. No protection for recipients. Good for initial setup only.
p=quarantine: You act cautiously. Suspicious mail is sandboxed, not destroyed. Legitimate emails that fail authentication still reach recipients, just in spam.
p=reject: Full enforcement. Unauthenticated mail never arrives. Maximum protection but zero margin for error.
Most organizations follow the path: none → quarantine → reject.
Why It Matters: Safe Testing Without Blackouts
The fear of p=reject is rational. One misconfigured SPF record, a forgotten email service, or a missed DKIM selector can silently block all outgoing mail.
p=quarantine eliminates that risk:
- Legitimate mail that fails still reaches recipients (in junk)
- You observe failures before committing to full rejection
- Recipients can rescue false positives from spam
- Attackers impersonating your domain get flagged, not rewarded
This makes quarantine the most professionally responsible deployment phase for organizations leaving monitor mode.
Decision Framework: When to Move to Quarantine
Move from p=none to p=quarantine when:
| |
| 2-4 weeks of aggregate data |
| Every service in SPF and DKIM |
| All sending sources covered |
| Selectors deployed for all streams |
| Reports show clean alignment |
Set up rua reporting first. Read 2-4 weeks of aggregate DMARC reports via your rua=mailto: address or a tool like MXToolbox. Once legitimate mail consistently passes, move to quarantine.
Do not skip p=none. Jumping directly to quarantine without auditing your mail streams risks quarantining your own emails.
Implementation Steps: Write the DMARC Record
Step 1: Build the TXT record value
- v=DMARC1 , Required version tag
- p=quarantine , The policy
- rua=mailto: , Aggregate report destination
- pct=10 , Apply policy to only 10% of failing mail initially
Step 2: Start with pct=10 Apply the policy to 10% of failures first. Increase to 25%, 50%, 100% over several weeks as reports confirm clean alignment.
Step 3: Add to DNS NameSilo DNS Manager → TXT → Host: _dmarc → paste value → TTL: 3600.
Step 4: Verify Run _dmarc.yourdomain.com through MXToolbox DMARC Lookup.
Step 5: Monitor Reports Watch your rua inbox. Any legitimate sender appearing in failures needs SPF/DKIM fixed before advancing to p=reject.
Common Mistakes
Staying on “quarantine” indefinitely: Quarantine is a transition phase, not a destination. After 30-90 days with clean reports, advance to p=reject.
Omitting the rua tag: Without aggregate reports, you're blind. Always include rua=mailto:.
Setting pct=100 immediately: Too aggressive. Start at 10% to catch unexpected failures safely.
What This Means for You
DMARC records are standard DNS TXT entries. NameSilo Email via Titan is fully compatible with DMARC enforcement, your sending domain just needs SPF, DKIM, and DMARC records aligned. Add your DMARC TXT record in NameSilo DNS Manager: Host _dmarc, Value your policy string.
Frequently Asked Questions
What does p=quarantine mean in DMARC?
Failed messages go to spam instead of being blocked.
Is DMARC quarantine better than reject?
Safer to deploy; reject is the ultimate security goal.
Will p=quarantine block my emails?
No, failing mail reaches spam, not the void.
How long should I stay on DMARC quarantine?
30-90 days while monitoring aggregate reports.
What happens if an email fails DMARC quarantine?
It goes to the recipient's spam/junk folder.
Do I need SPF and DKIM for DMARC?
Yes. DMARC evaluates SPF and DKIM alignment.
How do I check my DMARC record?
MXToolbox DMARC Lookup → _dmarc.yourdomain.com.
.png&w=3840&q=75)
.png&w=2048&q=75)
.png&w=3840&q=75)
.png&w=3840&q=75)