Home/ Glossary/ DMARC Quarantine Policy

DMARC Quarantine Policy (DMARC Quarantine)

Security Glossary - Email Authentication

Definition: The DMARC quarantine policy (p=quarantine) instructs receiving mail servers to treat emails failing DMARC authentication as suspicious. In practice, this means delivering them to the recipient's spam or junk folder rather than the inbox. It is the intermediate enforcement step between p=none (monitoring) and p=reject (blocking).

The Importance of DMARC Quarantine

Quarantine is the recommended stepping stone toward full DMARC enforcement. It provides real protection against spoofing (spoofed emails go to spam) while being less disruptive than reject if a legitimate email source is accidentally not authenticated. Users can still find misdelivered emails in their spam folder.

The pct tag allows gradual quarantine rollout. Starting with p=quarantine; pct=25 applies quarantine to only 25% of failing messages, letting you monitor impact before increasing coverage. This staged approach catches authentication gaps before they affect all email.

From the recipient's perspective, quarantined emails are in the spam folder with a note that the message failed authentication. This is visible enough to cause concern if legitimate emails are quarantined, but recoverable since the emails are not lost. This makes quarantine a good balance between security and operational safety during the DMARC deployment process.

How to Verify

A DNS health checker shows your DMARC policy. If you are on p=none and have analyzed aggregate reports for several weeks without finding unauthenticated legitimate sources, consider moving to p=quarantine. Start with pct=25 and increase gradually.

Check DNS Health

DMARC Quarantine FAQ

How long should I stay on p=quarantine before moving to p=reject?
At least 2-4 weeks, longer if your email ecosystem is complex. Monitor DMARC aggregate reports to confirm no legitimate email is being quarantined. When reports show clean results at pct=100, you can move to p=reject.
Will recipients know their email was quarantined?
Emails will appear in the spam or junk folder. Some email providers show authentication failure details. Recipients looking for expected emails may check spam, but many will not, so quarantine is not as reliable for delivery as inbox placement.

Related Concepts

Domain-based Message Authentication, Reporting and Conformance DMARC Policy Types DMARC Reject Policy Sender Policy Framework DomainKeys Identified Mail
Disclaimer: DomainOptic provides automated informational scans only. Results do not constitute professional security advice, compliance certification, or a guarantee of security. Always verify findings independently.