When to move from p=quarantine to p=reject

Moving from p=quarantine to p=reject is the final enforcement step. It tells receiving servers to block unauthenticated emails entirely — they won't reach the inbox or spam folder.

When you're ready

• Stable on quarantine for 14+ days — no reports of legitimate mail going to spam
• Pass rate above 99% across at least 100 messages
• All senders reviewed — no unknown senders in reports
• No forwarding concerns — you've accounted for email forwarding and mailing list behavior
• Organizational buy-in — stakeholders understand that reject blocks mail permanently, not just sends it to spam

What happens when you switch

• Emails that fail DMARC are rejected outright — the sender gets a bounce notification
• Recipients never see the failed email, even in spam
• Spoofing of your domain is effectively blocked
• This is the strongest DMARC protection level

Risks

• Silent failures — unlike quarantine, recipients won't see rejected mail in their junk folder, so they can't report the problem
• New senders — if your organization starts using a new email service, it must be configured for SPF/DKIM before it can send as your domain
• Forwarding — forwarded mail that breaks DKIM will be rejected by the final recipient's server

Rollout checklist

1. Confirm quarantine has been stable for at least 14 days with no legitimate mail affected
2. Notify your organization that reject is being enabled
3. Consider starting with pct=25 to reject only 25% of failing mail
4. Monitor reports closely for 5-7 days
5. Gradually increase to pct=100
6. Document the process for adding new senders so future services are configured before going live

How to rollback

Change to p=quarantine or p=none. DNS propagation takes minutes to hours. During the transition, some servers may still reject based on cached records.