← Back to Learn Decisions

When to move from p=none to p=quarantine

Moving from p=none (monitoring) to p=quarantine is the first real enforcement step. It tells receiving mail servers to send unauthenticated emails to spam instead of delivering them normally.

When you're ready

  • All senders reviewed — every IP sending as your domain has been identified as either legitimate or unauthorized. No unknown senders remain in your reports.
  • Pass rate above 99% — nearly all legitimate email passes both SPF and DKIM alignment.
  • At least 7 days of report data — you've seen a full week of sending patterns, including any periodic senders (weekly newsletters, billing systems, etc.).
  • SPF and DKIM configured for all legitimate senders — every service that sends on your behalf is properly authenticated.

What happens when you switch

  • Emails that fail DMARC will be delivered to spam/junk folders instead of the inbox
  • Legitimate mail that isn't properly authenticated will also go to spam
  • Spoofed emails claiming to be from your domain will be quarantined
  • You'll still receive DMARC aggregate reports showing what's happening

Risks

If you switch too early, legitimate mail from services you haven't configured (marketing tools, CRM systems, legacy applications) will go to spam. Recipients won't see these emails unless they check their junk folder.

  • Missed senders — a service that sends infrequently (monthly invoices, annual notices) may not have appeared in your reports yet
  • Forwarding breakage — email forwarding services strip original authentication. Mail forwarded from your domain may start failing.
  • Mailing lists — some mailing lists modify messages in ways that break DKIM signatures

Rollout checklist

  1. Confirm all senders are reviewed in Senders
  2. Check Diagnostics for the recommendation status
  3. Consider starting with pct=25 to apply quarantine to only 25% of failing mail
  4. Monitor reports for 3-5 days after the change
  5. If no legitimate mail is affected, increase to pct=50, then pct=100
  6. Once stable at pct=100, remove the pct tag (defaults to 100)

How to rollback

Change your DMARC record back to p=none. This takes effect as soon as receiving servers pick up the new DNS record (usually minutes to hours). All mail will be delivered normally again while you investigate.

Related: How to identify legitimate senders · Run diagnostics