Authentication

QuarantineDMARC Policy (p=quarantine)

Definition

Quarantine is the middle DMARC policy, set with p=quarantine, that tells receiving servers to treat mail failing authentication as suspicious rather than trusted. In practice most receivers route that mail to the spam or junk folder instead of the inbox. It sits between p=none (monitor only) and p=reject (block outright), and it is the usual second step on the path to full enforcement.

Failing mail is not blocked, it is filtered, usually to the spam folder
The exact action is the receiver’s choice; spam-foldering is most common
It is the safe middle step between p=none and p=reject
Use pct= to ramp the policy onto a fraction of failing mail

At a glance

Policy tag p=quarantine

Effect Failing mail treated as suspicious

Usual outcome Delivered to spam / junk

Sits between p=none and p=reject

Defined in RFC 7489

Ramp control pct= tag (percentage)

What quarantine actually does

A message “fails DMARC” when neither SPF nor DKIM passes and aligns with the visible From: domain. When that happens and you have published p=quarantine, you are telling the receiver: don’t trust this, but don’t throw it away either. The standard, RFC 7489, describes quarantine as a request to treat the message as suspicious, and it deliberately leaves the precise handling to the receiver.

In the real world that almost always means the spam or junk folder. Some receivers go further, adding a warning banner or holding the message for extra analysis. The key difference from p=reject is that the message is still accepted and delivered somewhere the recipient can find it, rather than refused at the door.

Quarantine as a stepping stone

The recommended DMARC rollout runs none to quarantine to reject. After you have read aggregate reports under p=none and confirmed your legitimate senders authenticate and align, quarantine is where you first apply real consequences while keeping a safety net: if you missed a source, its mail lands in spam rather than vanishing. The pct= tag lets you ease in further by applying the policy to only a share of failing mail.

A quarantine record ramping onto 50% of failing mail, with aggregate reports

v=DMARC1; p=quarantine; pct=50; rua=mailto:dmarc@example.com; adkim=s; aspf=s

Why quarantine is not the finish line

Quarantine protects your inbox-bound recipients, but it does not fully stop spoofing. A phishing message sent in your name still reaches the recipient’s account; it just lands in the spam folder, where a determined or careless user can still open it. Only p=reject refuses the forged message outright so it never arrives at all.

Quarantine is also a prerequisite, not a peak, for brand features. Both quarantine and reject satisfy the “enforced policy” bar that BIMI and a VMC require to show your logo in the inbox, but the strongest anti-spoofing protection still comes from moving all the way to reject once your reports are clean.

What quarantine does to a failing message

A message arrives claiming to be from your domain

The receiver checks SPF and DKIM alignment against From:

SPF aligned? DKIM aligned?

If either passes and aligns, the message passes DMARC and is delivered

If both fail, your p=quarantine policy applies

The receiver treats it as suspicious and routes it to spam

The three DMARC policies

	none	quarantine	reject
Action on failure	None, monitor only	Treat as suspicious	Block outright
Typical outcome	Delivered to inbox	Sent to spam	Refused at SMTP
Stops spoofing?	No	Partly	Yes
Risk to your mail	None	Spam-foldered if missed	Lost if missed
Role	Starting line	Middle step	Full enforcement

Common mistakes

Treating quarantine as full protection

Quarantine sends forged mail to spam, where it still reaches the account. Only p=reject refuses spoofed messages so they never arrive. Quarantine is a step, not the destination.

Jumping to quarantine before reading reports

If you enforce before confirming every legitimate source aligns, your own newsletters, CRM, and invoicing mail can land in recipients’ spam folders. Sit at p=none until your aggregate reports are clean.

Forgetting subdomains

A policy of p=quarantine covers the main domain, but unless you also set sp=, subdomains may inherit a weaker stance. Set an explicit subdomain policy to avoid a spoofing gap.

Frequently asked questions

Where does quarantined email go?

Almost always the recipient’s spam or junk folder. RFC 7489 leaves the exact handling to the receiver, so some add a warning label or hold the message for extra analysis instead, but the message is still accepted and delivered somewhere the recipient can reach, not refused.

Should I use quarantine or reject?

Use quarantine as the middle step while you confirm every legitimate sender authenticates and aligns. Once your aggregate reports are clean, move to p=reject for the strongest protection, since only reject stops a spoofed message from arriving at all.

Does quarantine satisfy BIMI requirements?

Yes. BIMI and a VMC require an enforced DMARC policy, and both p=quarantine and p=reject qualify (with pct=100). A policy of p=none does not, so quarantine is the minimum enforcement level that lets your logo display.

Sources & further reading

RFC 7489 · DMARC, including the quarantine policy disposition Google Email Sender Guidelines · DMARC requirements for bulk senders (Gmail)

Reviewed by Jennifer Jackson, Email Deliverability Analyst · June 2026 ← Back to glossary