Should I start with reject right away?

Usually no. If all legitimate mail sources are not aligned yet, a reject policy can block valid mail along with spoofed mail.

What does quarantine actually do?

It tells receivers to treat failing messages as suspicious, often placing them in spam or quarantine rather than fully accepting them.

Confirm SPF or DKIM alignment for legitimate senders and review DMARC reporting so you know which sources will be affected.

Views: 21

DMARC none vs quarantine vs reject: what each policy does and a 3-stage rollout to reach reject safely. Free instant DMARC record check, no sign-up.

Check your domain for this issue now

Free, no sign-up. Runs the exact check this guide describes and shows what to fix.

You have a DMARC record, but you are unsure whether the policy should be none, quarantine, or reject.

Not all sending sources are known - You have not fully mapped which platforms send mail for the domain.
SPF/DKIM alignment is incomplete - Some legitimate senders still fail alignment.
No reporting-based rollout - The policy is being changed without using DMARC reports to validate impact.

Email Deliverability Test to check SPF, DKIM, DMARC record presence, and the current policy value.
DNS Lookup to verify that the _dmarc TXT record is published exactly as intended.

Start with p=none if you still need visibility into all legitimate sending sources.
Make sure legitimate senders align with SPF or DKIM before increasing enforcement.
Move to quarantine once spoofing risk is real and alignment is mostly stable.
Move to reject only after your reporting shows strong coverage for legitimate mail.
Re-test after each change and compare the record with actual mail flow reports.

Escalate to the mail platform owner if several teams use independent sending providers with no central inventory.
If valid mail starts disappearing after tightening policy, roll back to a safer setting and fix alignment before re-enforcing.