What Is DMARC Quarantine? p=quarantine Policy 2026

DMARC quarantine is a policy that instructs receiving mail servers to treat emails that fail DMARC authentication as suspicious. Instead of delivering them directly to the inbox, the receiving system typically places these messages in the spam or junk folder. This helps reduce the likelihood that users will interact with potentially fraudulent emails while still allowing administrators to monitor what is being blocked.

In the DMARC policy hierarchy, p=quarantine sits between p=none and p=reject. The p=none policy is used for monitoring, while p=reject fully blocks unauthenticated emails. Because of this, many organizations move to quarantine as a transitional enforcement stage before implementing full DMARC rejection.

The growing volume of Business Email Compromise (BEC) and phishing attacks has made DMARC enforcement increasingly important. For example, phishing remains one of the most common cyber threats, with over 1 million phishing attacks recorded in a single quarter of 2025 by the Anti-Phishing Working Group (APWG).

As attackers continue to exploit email to impersonate trusted domains, implementing policies such as DMARC quarantine helps organizations reduce spoofing risks and prepare for stricter enforcement of email authentication.

How is a DMARC Quarantine Policy Executed?

When a DMARC quarantine policy is active, receiving mail servers perform a series of authentication checks before deciding where to deliver an email. First, the server verifies whether the message passes SPF or DKIM authentication. These mechanisms confirm that the email was sent from a server authorized by the domain owner and that the message content hasn’t been altered.

Next, the server checks domain alignment. This means the domain used in the visible “From” address must match the domain authenticated through SPF or DKIM. If at least one method passes and the domains align correctly, the email is considered legitimate and is delivered to the recipient’s inbox.

However, if the message fails DMARC authentication, the quarantine policy is triggered. In this case, the receiving provider treats the email as suspicious and typically sends it to the spam or junk folder instead of the inbox, reducing the chances of users interacting with potentially fraudulent messages.

Common Pitfalls When Enforcing a DMARC Quarantine Policy

Shifting to a DMARC quarantine policy is a major step toward email authentication enforcement. But if the groundwork isn’t done properly, it can easily interrupt legitimate email communication.

Many organizations assume their email environment is simple, only to discover multiple hidden sending sources later. When SPF, DKIM, or alignment are not configured correctly, the quarantine policy can unintentionally affect genuine emails. Below are some of the most common issues organizations run into.

Incomplete Visibility Into All Email Sources

Another common issue occurs when organizations jump straight from p=none to p=quarantine without analyzing DMARC reports first.

The p=none policy is designed to collect aggregate reports from receiving servers. These reports help identify every system sending email on behalf of your domain. If this monitoring phase is skipped, unknown sending sources may remain hidden. Different departments often use SaaS tools, automated workflows, or legacy systems that send emails under the company domain. Without reviewing the reports, these sources remain unnoticed, and once quarantine is enabled, their emails may start failing authentication.

Deliverability and Domain Reputation Risks

Misconfigured DMARC policies can also impact overall email deliverability. Major mailbox providers evaluate authentication signals when determining whether to trust a domain.

If legitimate emails repeatedly fail DMARC checks, it can weaken the domain’s sending reputation. Over time, this may reduce inbox placement rates, even for messages that pass authentication later. Maintaining proper SPF, DKIM, and alignment is therefore critical before enforcing stricter DMARC policies.

Legitimate Emails Ending Up in Spam

One of the biggest risks is a legitimate email being flagged as suspicious. DMARC decisions rely heavily on SPF and DKIM authentication results. If SPF records are incomplete or the DKIM signature isn’t properly configured, the receiving server cannot confidently verify that the email is authorized.

DMARC also requires domain alignment. The domain visible in the From address must match the domain authenticated through SPF or DKIM. If this alignment check fails, DMARC treats the message as unauthenticated, even if SPF or DKIM technically passed.

When a quarantine policy is active, these emails are typically redirected to the spam or junk folder. As a result, important communications such as invoices, support responses, or operational messages may never reach the recipient’s inbox.

When Should You Use a DMARC Quarantine Policy?

A DMARC quarantine policy should be implemented only after an organization clearly understands how email is being sent from its domain. Moving to enforcement too early can cause legitimate emails to fail authentication and land in spam. The correct timing usually follows a monitoring phase with the p=none policy.

Several conditions should be met before enabling p=quarantine. Some of the important ones are:

• DMARC monitoring should be active long enough to capture normal email activity patterns. 
• All legitimate senders must be identified, including internal servers and external services.
• SPF records should authorize the correct sending infrastructure, and DKIM signing should be enabled wherever possible. 
• Third-party platforms must also be authenticated and aligned with the domain. 
• DMARC reports should show a low failure rate for legitimate messages.

The monitoring period can vary depending on the organization’s size and complexity. Smaller businesses often have simpler email environments and fewer sending sources. In these cases, a shorter monitoring window may be enough to understand the sending landscape. For example:

• Small businesses may require about 3 to 7 days of monitoring.
• Mid-sized organizations often benefit from 2 to 4 weeks of monitoring to capture different types of email activity.
• Large enterprises may need 1 to 2 months because they typically rely on many third-party services and internal systems.

The key goal is to ensure that authentication and alignment issues are resolved before enforcement begins. Once the sending infrastructure is verified and DMARC reports confirm stable results, organizations can safely move to a quarantine policy and begin enforcing stronger protection against domain spoofing.

Safe Rollout Checks Before Enabling DMARC Quarantine

Before enforcing quarantine, organizations should perform the following important checks to protect normal email operations:

Verify SPF and DKIM for All Sending Sources

Every system that sends email using your domain must pass authentication, so check that all authorized sending services are included in your SPF record and that DKIM signing is enabled where possible. Proper authentication ensures that legitimate messages pass DMARC validation.

Review DMARC Aggregate Reports

DMARC aggregate reports provide visibility into how your domain is being used for email. These reports reveal which servers are sending messages, how authentication checks are performing, and whether alignment requirements are met. Careful review of these reports with an XML Report Analyzer helps identify unknown sending sources or repeated authentication failures. Any legitimate service discovered here should be properly configured before moving to enforcement.

Start With a Gradual Enforcement Percentage

A gradual rollout helps reduce risk. DMARC allows domain owners to apply enforcement to only a portion of messages using the pct tag. For example: v=DMARC1; p=quarantine; pct=20

This means only 20 percent of failing messages will be quarantined. Organizations can slowly increase enforcement levels after confirming that legitimate mail flows are unaffected. A common progression is 20 percent, then 50 percent, and finally 100 percent enforcement.

Communicate With Internal Teams

Different departments may use external platforms to send emails. Marketing teams often run campaigns through automation tools. HR systems may send onboarding messages, and support teams rely on helpdesk platforms. Inform these teams about the DMARC rollout so they can confirm that their tools are properly authenticated and aligned with the domain.

Moving Toward DMARC Enforcement Safely

DMARC quarantine acts as the bridge between monitoring and full email protection. It allows organizations to start blocking suspicious messages while still observing how enforcement affects legitimate mail flows. When implemented correctly, the policy helps reduce phishing, domain spoofing, and business email compromise attacks without disrupting communication.

However, moving to quarantine should always follow careful preparation. Reviewing DMARC reports, validating SPF and DKIM alignment, and gradually increasing enforcement percentages can prevent deliverability issues. Once organizations are confident that all legitimate email sources are authenticated, they can safely progress toward a DMARC reject policy for stronger domain protection.

Frequently Asked Questions