What Is a Quarantine Policy in DMARC?

Quarantine is one of the enforcement options defined in a DMARC policy. When a message fails DMARC authentication and the policy is set to p=quarantine, receiving mail servers are instructed to treat the message as suspicious rather than rejecting it outright. Typically, this means placing the message in the recipient’s spam or junk folder, allowing users to review it but preventing it from appearing in the primary inbox.

The quarantine policy strikes a balance between visibility and protection. It helps domain owners test DMARC enforcement without completely blocking potentially misconfigured but legitimate messages. Once all legitimate sources are properly authenticated, organizations often move from quarantine to a full reject policy for maximum protection against spoofing and phishing.

How the Quarantine Policy Works

When a receiving server checks a message against the sender’s DMARC record and finds that both SPF and DKIM fail to align, it consults the domain’s published policy to decide how to handle the message. If that policy includes p=quarantine, the message is delivered but marked as untrusted.

Example DMARC record with a quarantine policy:

In this configuration, mail that fails DMARC alignment is quarantined while the domain owner receives aggregate reports showing which messages passed or failed. This reporting enables administrators to fine-tune authentication settings and ensure legitimate traffic isn’t misclassified.

When to Use a Quarantine Policy

Most organizations adopt a phased approach to DMARC deployment. After an initial period of monitoring using p=none, they move to p=quarantine as an intermediate enforcement step. This allows for greater protection while still collecting data and validating legitimate senders.

Ideal situations for a quarantine policy include:

• Testing new authentication setups or vendor integrations
• Monitoring mail flow from third-party senders
• Gradually enforcing alignment before moving to p=reject
• Reducing spoofing exposure while preserving message visibility
• Educating internal users about suspicious message warnings

Mailbox providers interpret quarantine in slightly different ways. For example, Google and Microsoft typically deliver quarantined mail to the spam folder, but others may use custom filtering or tagging systems. Because of this, domain owners should review results across multiple providers to ensure consistent behavior.

Benefits and Limitations

A quarantine policy offers several operational advantages but also requires close monitoring to be effective.

• Provides protection against impersonation without risking false positives
• Allows gradual enforcement of DMARC policies
• Improves brand trust by signaling stronger security
• Requires continuous review of DMARC reports to identify misaligned legitimate senders
• Does not fully block fraudulent mail. Users can still access quarantined messages

Organizations should use quarantine as a stepping stone, not a permanent state. Once legitimate mail sources are confirmed, upgrading to p=reject provides the strongest defense against domain spoofing.

Quarantine and DMARCeye

DMARCeye simplifies the transition to a quarantine policy by giving organizations full visibility into how messages perform during enforcement. The platform analyzes which senders pass or fail authentication, tracks quarantined messages across providers, and identifies any legitimate traffic caught in filters.

DMARCeye’s visual reports help administrators adjust SPF, DKIM, and DMARC settings to ensure compliance and deliverability before moving to full rejection. With clear analytics and automated insights, it’s easier to safely progress from monitoring to enforcement without risking lost mail or business disruption.

Sign up for a free trial of DMARCeye today and secure your email domain.

To learn more about DMARC and DMARC-related terms, explore the DMARCeye Glossary.