DMARC glossary

What does p=quarantine mean in a DMARC record?

Samuel Chenard

By Samuel Chenard · CEO & Co-Founder, Palisade · Reviewed July 15, 2026

p=quarantine tells receiving servers to treat messages that fail DMARC as suspicious — usually by routing them to the spam or junk folder instead of the inbox. It's the middle DMARC policy: stronger than none (which does nothing) but softer than reject (which blocks outright).

p=quarantine at a glance
Tagp (policy)
Valid valuesnone · quarantine · reject
DefaultRequired — there is no default policy value.
Where it goesImmediately after v=DMARC1, e.g. v=DMARC1; p=quarantine;

How p=quarantine works

quarantine is the first policy that actually does something to spoofed mail. Instead of delivering a failing message normally, the receiver sets it aside — in practice, the spam or junk folder. The message still exists, but it's out of the inbox and flagged as untrusted.

It's the natural second step in a DMARC rollout. After a spell on none confirms your legitimate senders all pass, moving to quarantine contains impersonation with a safety net: if you missed a legitimate source, its mail lands in spam rather than vanishing entirely.

Most teams pair quarantine with the pct tag during rollout to apply the policy to a slice of failing mail first, then ramp to 100% before graduating to reject.

Step 1

p=none

Monitor

Failing mail is still delivered — you only collect reports.

You are here

Step 2

p=quarantine

Contain

Failing mail is diverted to the spam or junk folder.

Step 3

p=reject

Block

Failing mail is refused outright and never arrives.

Monitoring onlyFull protection
A DMARC rollout moves left to right — from monitoring only, to containing spoofed mail, to blocking it outright.

Correct record vs common mistake

Correct

v=DMARC1; p=quarantine; rua=mailto:dmarc@yourdomain.com; pct=100

Full quarantine with reporting on — every failing message is diverted, and you still receive the data.

Common mistake

v=DMARC1; p=quarantine; pct=25

pct=25 applies quarantine to only a quarter of failing mail — fine as a temporary rollout step, but left here, 75% of spoofed email still reaches the inbox.

Generate your DMARC record

Build the exact TXT record to publish — pick a policy, add a reporting address, copy. Free, no signup.

Used to show the exact host name to publish — the record itself doesn't contain it.

Start at none to observe, then tighten once reports look clean.

Where daily XML summaries are sent. Comma-separate multiple addresses.

Advanced options (sp, alignment, pct, ruf)

Subdomains inherit p unless you set this. Attackers love unused subdomains — reject is a strong choice once you're at enforcement.

Relaxed allows subdomain matches (mail.yourdomain.com signs for yourdomain.com). Strict requires an exact match — most domains should stay relaxed.

Same idea for the SPF (Return-Path) domain.

Applies quarantine/reject to a percentage of failing mail during rollout. Retired in DMARCbis — use briefly if at all.

Per-message failure samples. Rarely sent by large providers; contains message data.

Your DMARC record

Publish this as a TXT record in your DNS.

Host / Name

_dmarc.yourdomain.com

Value (TXT)

v=DMARC1; p=none;

Record type: TXT · TTL: your provider's default (e.g. 3600) is fine.

No rua address set — you'll get no aggregate reports, which means no visibility into who is sending as your domain. Add one before publishing.
p=none is monitoring mode: receivers report but deliver everything, including spoofed mail. It's the right starting point — plan to move to quarantine, then reject, once your reports show all legitimate senders passing.

After you publish

  1. Add the TXT record at your DNS host and allow up to an hour for propagation.
  2. Verify it with the free DMARC checker.
  3. Watch your aggregate reports, fix SPF and DKIM for every legitimate sender, then step up to quarantine and reject.

Troubleshooting p=quarantine

IssueLikely causeFix
Legitimate mail landing in spamA real sender isn't aligned — SPF or DKIM passes but for a different domainFix alignment for that source (correct SPF include or DKIM signing domain), then re-check reports
Spoofed mail still reaching inboxespct below 100 — the policy only samples a share of failing mailRaise pct to 100 once your senders are clean, then plan the step to reject
Users report 'missing' emailQuarantined messages sit in spam/junk, not bouncedCheck the spam folder and message headers; if it's legitimate, align the source rather than whitelisting one-off

See this on your own domain

Enter your domain — the check runs instantly on the next page. Free, no signup.

Why it matters for MSPs

Quarantine is where a rollout can stall for years across a client base — “good enough,” so nobody pushes to reject. But spam-foldered spoofing is still spoofing: your client's brand can be impersonated, just one folder over. It's a waypoint, not a finish line.

Trusted by MSPs

We increased our meetings booked by 21% and slept better at night knowing our emails are now secured
Marc-André CampagnaMarc-André Campagna CEO, gaiia (YC 2021)Read the case study →
Partner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner Logo

Enforce it — don't just monitor it

Palisade doesn't leave clients stuck at quarantine. It confirms every legitimate sender is aligned, then advances each domain to full reject on the evidence — across your whole tenant base at once.

Free 15-day trial · No credit card · Your own domain free forever (NFR)

Frequently asked questions

Quarantine delivers failing mail to the spam folder; reject refuses it entirely so it never arrives. Quarantine contains impersonation; reject eliminates it.

It sends messages that fail DMARC to spam — not your legitimate, aligned mail. Correctly configured, your real email is unaffected; only spoofed or misconfigured sources get quarantined.

Quarantine is the safer intermediate step while you confirm every sender passes. Once reports are clean, reject is the goal — quarantine is not meant to be permanent.

Related terms

What is DMARC? Email authentication explained