DMARC Quarantine vs. DMARC Reject: Which Should You Implement?

Implementing a p=quarantine DMARC Policy

Quarantine lets the participating email receivers know that you would like them to treat email that fails the DMARC authentication check with extra caution. The email will still be accepted by the receiver, but the receiver will decide how they want to implement the quarantine policy.

  • Quarantine: If the email receiver has a quarantine mailbox, this is where the message will be delivered. It will then be up to the administrator of the mailbox to decide if the email gets delivered or thrown away.
  • Deliver to spam: If the email receiver hosts the recipient’s mailbox, then the receiver may have the option to deliver non-compliant email into the recipient’s spam folder. The receiver would then have the option to determine if he or she would like to move it to the inbox.
  • Aggressive anti-spam filtering: Most receivers will see quarantined messages as something that is spam-like and could add additional scoring to the message itself. This additional step would allow the receiver to block the message due to its high spam scoring.

Implementing a p=reject DMARC Policy

Setting a DMARC policy to p=reject will allow you to ensure that all malicious email is stopped. As an added bonus, the recipient of the intended malicious email will never become aware of the email in the first place, as it will never get sent to a spam or quarantine folder. Since it is completely blocked, emails are never delivered and end-users cannot be tricked into clicking on a malicious link or opening a dangerous attachment.

So Which Should You Choose?

At the end of the day, which policy you choose is ultimately the decision of your organization as you decide which policy best suits your needs. Here at Agari, we recommend that all customers implement a p=reject policy to ensure complete protection for the recipients of your emails. That said, you have the opportunity to decide which policy best suits your needs — either is a much more secure option than p=none or no DMARC policy at all.



Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store


Agari is the Trusted Email Identity Company™, protecting companies and people from phishing and socially-engineered email attacks.