DMARC policy levels: p=none, quarantine, reject and pct

Your DMARC policy is the p= tag in your _dmarc DNS record. It tells receivers what to do with mail from your domain that fails DMARC — that is, mail with neither aligned SPF nor aligned DKIM. There are three levels, designed to be adopted in order.

The three policy levels

p=none — monitor only

_dmarc.yourdomain.com.  TXT  "v=DMARC1; p=none; rua=mailto:<token>@rua.blankitt.com"

Failing mail is delivered as normal — nothing is blocked. The value of none is purely visibility: receivers still send aggregate reports, so you can see every source sending as your domain and whether it's aligned. This is always where you start. Point rua= at the inbound address in your Blankitt DMARC Settings so reports are ingested automatically.

p=quarantine — treat as suspicious

_dmarc.yourdomain.com.  TXT  "v=DMARC1; p=quarantine; rua=mailto:<token>@rua.blankitt.com"

Failing mail is treated as suspect — typically delivered to the spam/junk folder rather than the inbox. This is the first enforcing level. Move here only once your reports show legitimate mail is consistently aligned, so the only thing landing in spam is genuinely unauthenticated mail.

p=reject — block outright

_dmarc.yourdomain.com.  TXT  "v=DMARC1; p=reject; rua=mailto:<token>@rua.blankitt.com"

Failing mail is rejected at the receiver and never delivered. This is full protection against spoofing of your domain, and the end goal. It's also a prerequisite for some related features such as BIMI (your brand logo in inboxes), which requires an enforced policy.

The pct tag — a gradual ramp

The pct= tag applies your policy to only a percentage of failing mail, letting you ease into enforcement:

_dmarc.yourdomain.com.  TXT  "v=DMARC1; p=quarantine; pct=25; rua=mailto:<token>@rua.blankitt.com"

Here, 25% of failing mail is quarantined and the remaining 75% is treated as p=none. You can ramp up — 25%, 50%, 100% — watching your reports at each step for any legitimate sender that slips through. pct=100 (the default if omitted) applies the policy to all failing mail.

pct is most useful when stepping into quarantine; many organisations move to reject at pct=100 once quarantine has proven safe.

The safe progression

The recommended workflow — built into the Policy Progression Wizard on each Domain detail page — is:

1. Publish p=none and let reports accumulate for roughly 1–2 weeks.
2. Identify and align all legitimate senders — fix SPF includes and DKIM signing so every genuine source passes DMARC aligned. Use Offenders, vendor detection and Fix Groups to work through them.
3. Move to p=quarantine, optionally with a pct ramp, and monitor.
4. Move to p=reject once quarantine has held with no legitimate mail affected.

The Wizard tracks readiness with checklists for each stage (Monitor → Quarantine → Reject) and tells you the next step, while the Compliance Scorecard and grade show how close a domain is to safe enforcement.

Other tags you'll see alongside p=

• sp= — policy for subdomains (defaults to the same as p= if omitted).
• adkim / aspf — alignment mode, relaxed (default) or strict.
• rua= — aggregate report address (use your Blankitt inbound address).
• ruf= — forensic report address for individual failure samples; view these on the Forensic page.

The golden rule

Never tighten the policy while legitimate senders are still failing alignment. Doing so quarantines or blocks your own mail. Get alignment right under p=none first, then enforce — that's the entire point of progressing in stages rather than jumping straight to reject.