DMARC Policy Guide: none vs quarantine vs reject

Problem

You have a DMARC record, but you are unsure whether the policy should be none, quarantine, or reject.

Symptoms

• A DMARC record exists, but you do not know when it is safe to enforce it.
• Some marketing or support platforms still fail SPF or DKIM alignment.
• You want to stop spoofing without accidentally blocking valid mail.

Top 3 Causes

1. Not all sending sources are known - You have not fully mapped which platforms send mail for the domain.
2. SPF/DKIM alignment is incomplete - Some legitimate senders still fail alignment.
3. No reporting-based rollout - The policy is being changed without using DMARC reports to validate impact.

Diagnose with DechoNet

• Email Deliverability Test to check SPF, DKIM, DMARC record presence, and the current policy value.
• DNS Lookup to verify that the _dmarc TXT record is published exactly as intended.

Resolution Checklist

• Start with p=none if you still need visibility into all legitimate sending sources.
• Make sure legitimate senders align with SPF or DKIM before increasing enforcement.
• Move to quarantine once spoofing risk is real and alignment is mostly stable.
• Move to reject only after your reporting shows strong coverage for legitimate mail.
• Re-test after each change and compare the record with actual mail flow reports.

When to Escalate

• Escalate to the mail platform owner if several teams use independent sending providers with no central inventory.
• If valid mail starts disappearing after tightening policy, roll back to a safer setting and fix alignment before re-enforcing.