DMARC glossary
What does p=quarantine mean in a DMARC record?

By Samuel Chenard · CEO & Co-Founder, Palisade · Reviewed July 15, 2026
p=quarantine tells receiving servers to treat messages that fail DMARC as suspicious — usually by routing them to the spam or junk folder instead of the inbox. It's the middle DMARC policy: stronger than none (which does nothing) but softer than reject (which blocks outright).
p=quarantine at a glance | |
|---|---|
| Tag | p (policy) |
| Valid values | none · quarantine · reject |
| Default | Required — there is no default policy value. |
| Where it goes | Immediately after v=DMARC1, e.g. v=DMARC1; p=quarantine; |
How p=quarantine works
quarantine is the first policy that actually does something to spoofed mail. Instead of delivering a failing message normally, the receiver sets it aside — in practice, the spam or junk folder. The message still exists, but it's out of the inbox and flagged as untrusted.
It's the natural second step in a DMARC rollout. After a spell on none confirms your legitimate senders all pass, moving to quarantine contains impersonation with a safety net: if you missed a legitimate source, its mail lands in spam rather than vanishing entirely.
Most teams pair quarantine with the pct tag during rollout to apply the policy to a slice of failing mail first, then ramp to 100% before graduating to reject.
Step 1
p=noneMonitor
Failing mail is still delivered — you only collect reports.
Step 2
p=quarantineContain
Failing mail is diverted to the spam or junk folder.
Step 3
p=rejectBlock
Failing mail is refused outright and never arrives.
Correct record vs common mistake
Correct
v=DMARC1; p=quarantine; rua=mailto:dmarc@yourdomain.com; pct=100Full quarantine with reporting on — every failing message is diverted, and you still receive the data.
Common mistake
v=DMARC1; p=quarantine; pct=25pct=25 applies quarantine to only a quarter of failing mail — fine as a temporary rollout step, but left here, 75% of spoofed email still reaches the inbox.
Generate your DMARC record
Build the exact TXT record to publish — pick a policy, add a reporting address, copy. Free, no signup.
Used to show the exact host name to publish — the record itself doesn't contain it.
Start at none to observe, then tighten once reports look clean.
Where daily XML summaries are sent. Comma-separate multiple addresses.
Advanced options (sp, alignment, pct, ruf)
Subdomains inherit p unless you set this. Attackers love unused subdomains — reject is a strong choice once you're at enforcement.
Relaxed allows subdomain matches (mail.yourdomain.com signs for yourdomain.com). Strict requires an exact match — most domains should stay relaxed.
Same idea for the SPF (Return-Path) domain.
Applies quarantine/reject to a percentage of failing mail during rollout. Retired in DMARCbis — use briefly if at all.
Per-message failure samples. Rarely sent by large providers; contains message data.
Your DMARC record
Publish this as a TXT record in your DNS.
_dmarc.yourdomain.com
v=DMARC1; p=none;
Record type: TXT · TTL: your provider's default (e.g. 3600) is fine.
After you publish
- Add the TXT record at your DNS host and allow up to an hour for propagation.
- Verify it with the free DMARC checker.
- Watch your aggregate reports, fix SPF and DKIM for every legitimate sender, then step up to quarantine and reject.
Troubleshooting p=quarantine
| Issue | Likely cause | Fix |
|---|---|---|
| Legitimate mail landing in spam | A real sender isn't aligned — SPF or DKIM passes but for a different domain | Fix alignment for that source (correct SPF include or DKIM signing domain), then re-check reports |
| Spoofed mail still reaching inboxes | pct below 100 — the policy only samples a share of failing mail | Raise pct to 100 once your senders are clean, then plan the step to reject |
| Users report 'missing' email | Quarantined messages sit in spam/junk, not bounced | Check the spam folder and message headers; if it's legitimate, align the source rather than whitelisting one-off |
See this on your own domain
Enter your domain — the check runs instantly on the next page. Free, no signup.
Why it matters for MSPs
Quarantine is where a rollout can stall for years across a client base — “good enough,” so nobody pushes to reject. But spam-foldered spoofing is still spoofing: your client's brand can be impersonated, just one folder over. It's a waypoint, not a finish line.
Trusted by MSPs
“We increased our meetings booked by 21% and slept better at night knowing our emails are now secured”
Marc-André Campagna — CEO, gaiia (YC 2021)Read the case study →

































Enforce it — don't just monitor it
Palisade doesn't leave clients stuck at quarantine. It confirms every legitimate sender is aligned, then advances each domain to full reject on the evidence — across your whole tenant base at once.
Free 15-day trial · No credit card · Your own domain free forever (NFR)