DMARC's p= tag controls what receivers do with messages that fail alignment. Three levels exist: none, quarantine and reject. Moving between them is the core of any DMARC rollout. This article explains each level in depth, the risks and benefits of each, how the pct= tag modulates enforcement, and how to choose where to sit at each stage of a UK business deployment.
p=none — monitoring onlyp=quarantine — route to spamp=reject — refuse deliverypct= modulates enforcement| Policy | Effect on failing mail | Reporting | Role in rollout |
|---|---|---|---|
none | Delivered as usual | Full aggregate reports | Monitoring-only initial state |
quarantine | Sent to recipient's spam folder | Full aggregate reports | Intermediate enforcement |
reject | Rejected at SMTP, never reaches inbox | Full aggregate reports | Full enforcement endpoint |
All three produce the same reporting — the difference is in action on failure. The domain owner chooses the action based on their deployment maturity and tolerance for blocking legitimate but misconfigured mail.
p=none — monitoring onlyThe lowest-friction policy. Every message claiming to be from your domain is delivered as it would be without DMARC — p=none takes no enforcement action. However, the full DMARC evaluation still happens, results are written into the Authentication-Results header, and aggregate reports are generated.
From: domain still succeeds. Users receive phishing as they would without DMARC.p=none and consider the project "done". Enforcement has not actually started.quarantine or above._dmarc.firm.co.uk. IN TXT "v=DMARC1; p=none; rua=mailto:[email protected]; fo=1"Minimal, monitoring-only, reports going to a mailbox you will actually process.
p=quarantine — route to spamThe intermediate policy. Messages that fail DMARC alignment are not rejected outright; they are delivered to the recipient's spam or junk folder. Recipients can still see them if they check spam; the policy is less disruptive than outright rejection.
_dmarc.firm.co.uk. IN TXT "v=DMARC1; p=quarantine; pct=100; rua=mailto:[email protected]; fo=1"p=reject — refuse deliveryThe full enforcement policy. Messages that fail DMARC alignment are rejected at the SMTP level — the receiving server returns a 550 response and does not deliver the message at all. From the end user's perspective, the forged mail simply never arrives.
p=reject to p=quarantine or lower is visible in DMARC reports — takes at least a full TTL plus cache time to propagate._dmarc.firm.co.uk. IN TXT "v=DMARC1; p=reject; adkim=s; aspf=s; pct=100;
rua=mailto:[email protected]; fo=1"Full enforcement, strict alignment, full reporting. The steady-state target for domains taking authentication seriously.
pct= modulates enforcementThe pct= tag allows partial enforcement. Its value (0-100, default 100) is the percentage of failing mail on which the receiver applies the specified policy. The rest falls through to the next weakest policy level.
| Record | What happens to failing mail |
|---|---|
p=quarantine; pct=25 | 25% quarantined, 75% delivered (treated as p=none) |
p=quarantine; pct=50 | 50% quarantined, 50% delivered |
p=quarantine; pct=100 | All quarantined |
p=reject; pct=10 | 10% rejected, 90% quarantined (treated as p=quarantine) |
p=reject; pct=50 | 50% rejected, 50% quarantined |
p=reject; pct=100 | All rejected |
This cascading behaviour is a safety mechanism. Publishing p=reject; pct=10 means only 10% of failing mail is lost to outright rejection; the other 90% is merely deprioritised. A wrong move at pct=10 is 10x less damaging than at pct=100.
Note: DMARCbis is expected to deprecate pct=. Current behaviour is retained for backward compatibility.
A standard UK DMARC rollout for a mid-size organisation progresses as follows:
| Week | Policy | Notes |
|---|---|---|
| 0 | p=none | Publish monitoring record. Receive first aggregate reports. |
| 1-2 | p=none | Identify all senders from reports. Fix missing SPF and DKIM configurations. |
| 3 | p=quarantine; pct=25 | Begin soft enforcement. Monitor closely. |
| 4-5 | p=quarantine; pct=50 | Ramp up quarantine. Reports should show clean pass-rates on legitimate senders. |
| 6-7 | p=quarantine; pct=100 | Full quarantine. No delivery for failing mail, but still lands in spam. |
| 8-10 | p=reject; pct=25 | Begin outright rejection. Start with 25% to limit blast radius. |
| 11-12 | p=reject; pct=50 | Half-reject, half-quarantine. Verify no new issues surface. |
| 13+ | p=reject; pct=100 | Full enforcement. Steady state for a mature deployment. |
For small UK domains with simple sender landscapes (a sole trader on a single hosting provider plus Mailchimp), the whole path compresses to 4-6 weeks. For large organisations with 30+ senders, it may take 4-6 months.
The p= tag controls mail claiming to come from the exact domain (firm.co.uk). Mail from subdomains ([email protected]) is governed by:
_dmarc.mail.firm.co.uk), if one exists. This overrides all parent settings.sp= tag on the parent's DMARC record.p= value.For production UK deployments, set both p= and sp= explicitly. A common pattern:
_dmarc.firm.co.uk. IN TXT "v=DMARC1; p=reject; sp=reject; adkim=s; aspf=s; ..."This locks down both the main domain and all subdomains without their own records. For cases where marketing sends from news.firm.co.uk and needs its own rollout, publish a dedicated _dmarc.news.firm.co.uk record with the subdomain's current policy.
| Context | Baseline expectation |
|---|---|
Central government (.gov.uk) | p=reject mandated by Cabinet Office |
| Local authorities | p=quarantine at minimum, target p=reject |
| NHS suppliers under DTAC | p=quarantine at minimum |
| Financial services | p=reject expected; FCA audits reference authentication controls |
| Mid-market UK SME | p=quarantine increasingly common; p=reject for mature deployments |
| Small business | p=none still common but p=quarantine recommended |
| Sole trader on hosted platform | Hosted platform defaults usually p=none, manual progression required |
Apply this decision tree:
p=none for now.dmarc=pass consistently? No → fix the failures, stay at p=none.p=none with clean reports? Yes → progress to p=quarantine; pct=25.p=reject; pct=25.p=reject; pct=100, the steady state.p=reject; adkim=s; aspf=s — full strict enforcement. Business Email, Private Email and Public Administration Email customers are given the DNS records needed to publish DMARC at their current chosen level, and guidance on progression through quarantine and reject.
p=noneA UK national charity published p=none in 2022 and never progressed. Three years later, the domain was being routinely spoofed by "Gift Aid reclaim" phishing. The IT team had published the record to meet an audit checkbox and considered the job done. Actual protection: zero. Resolution in 2025 required rolling up the charity's full sender inventory (marketing platform, donor CRM, events tool, Jisc Mail subscriptions) and progressing through quarantine to reject over six months.
p=rejectA 40-partner London law firm hired a DMARC consultant who pushed straight to p=reject in week two. On the first marketing newsletter send after the change, one in twelve messages was rejected because the firm had a legacy SendGrid account the marketing team used that had never had DKIM configured. Resolution: revert to p=quarantine, fix the SendGrid DKIM, wait two weeks, re-progress to p=reject. Three weeks of disruption for what should have been a four-month measured rollout.
A 12-person Manchester consultancy on SmartXHosting Business Email rolled out DMARC in four weeks: week 1 p=none, week 2 audit, week 3 p=quarantine, week 4 p=reject. The simple sender landscape (just SmartXHosting email plus Mailchimp) made fast progression safe. Reports showed 99.9% pass throughout.
p=none and forgetting. The audit checkbox strategy — technically compliant, practically useless. Put p=none progression on the IT calendar.p=reject without monitoring. The most expensive DMARC mistake. Always at least a week of p=quarantine first.sp=. Subdomain mail bypasses your carefully-tuned parent policy.p=reject; pct=10 forever. A stalled progression at 10% rejection is worse than full quarantine — 10% of attackers get through unambiguously.p=reject, reverting to p=quarantine is the safety valve — but plan to re-progress, not to camp there forever.Q: Can I go straight from p=none to p=reject?
A: Technically yes. Organisationally, almost never a good idea. Skipping p=quarantine means any missed sender goes from "delivered normally" to "rejected outright" in one step, with no intermediate signal. Use p=quarantine as a safety net.
Q: Does p=none count as "having DMARC"?
A: For the purposes of Google/Yahoo/Microsoft bulk sender rules, yes — any DMARC record counts. For actual protection against spoofing, no. p=none is a deployment stage, not a destination.
Q: What is the difference between p=quarantine and the receiver's native spam filter?
A: Native spam filters analyse content; p=quarantine acts on authentication failure regardless of content. They stack — a message failing DMARC quarantine but passing content filtering still lands in spam.
Q: If my mail lands in spam under p=quarantine, does that damage my sender reputation?
A: Yes. Spam folder landings feed into sender reputation algorithms. Sustained spam-folder landings accumulate negative reputation — one of the reasons full p=reject is arguably preferable to persistent p=quarantine.
Q: How do I see which policy receivers applied to my messages?
A: DMARC aggregate reports show the disposition column — "none", "quarantine" or "reject" — per message record.
Q: Can a receiver override my policy?
A: Yes — the policy is a request, not a command. Some large receivers override to deliver when local signals (user has actively corresponded with sender) suggest the message is legitimate despite DMARC failure. Reports still show what the receiver actually did.
Q: Does p=reject protect against display-name spoofing?
A: No. DMARC validates the From: domain, not the display name. An attacker can send from any other domain with the display name "John Doe (CEO)" and DMARC will not block them.
Q: Are there any scenarios where p=none is genuinely the right long-term policy?
A: Rarely. Some legacy domains with intractable sender inventories use p=none permanently for visibility without commitment. Most modern UK deployments should progress past it.
Q: Does my subscription email (marketing, newsletters) need the same policy level as my main business mail?
A: Not necessarily — often it has its own subdomain and its own DMARC. Marketing subdomains may stay at p=quarantine longer than the main firm.co.uk, because missed senders there cost less than missed senders on the main corporate domain.
Q: How often do receivers apply DMARC policies? Is it every message?
A: Every message that fails DMARC alignment. The percentage tag modulates this — at pct=50, the receiver applies the specified policy to half of failing mail and the weaker policy to the other half. Receivers use random selection; which specific message falls under which policy is not predictable.
Q: What happens at pct=0?
A: Zero percent of failing mail receives the specified policy — equivalent to publishing p=none. Rarely useful; if you mean to disable enforcement, use p=none directly.
Q: If a message fails alignment for both SPF and DKIM, does pct still modulate?
A: Yes. The pct= tag applies to the ultimate enforcement decision regardless of which authentication pathway failed.
Q: Can a UK public sector domain publish p=none?
A: They can, but they fail NCSC Mail Check and GOV.UK mail policy requirements. For accredited government domains, p=quarantine is the floor and p=reject is the expected end state.
Q: Is p=reject with pct=50 the same as p=quarantine?
A: Not quite. At p=reject; pct=50, 50% of failing mail is rejected outright and 50% is treated as p=quarantine (sent to spam). At p=quarantine; pct=100, 100% of failing mail is sent to spam and none is rejected. Different enforcement profiles.
Q: Will different receivers apply my policy differently?
A: Slightly. Gmail, Microsoft 365, Yahoo, Fastmail and most European receivers honour DMARC policies strictly. Smaller receivers may apply local judgement alongside DMARC. Overall the variance is small — most receivers enforce what you ask.
Q: Does changing the DMARC policy level require a DNS TTL wait?
A: Yes. After publishing a new policy, receivers that cached the old policy continue using it until their cache expires. Set a moderate TTL (one hour is typical) on your DMARC record so policy changes propagate quickly during rollout.
Q: Can I experiment with p=reject on a throwaway subdomain first?
A: Yes, and this is sometimes useful. Route a small share of marketing or transactional mail through test.firm.co.uk with its own p=reject DMARC while the parent stays at p=quarantine. Observe how receivers respond before committing the parent domain.