We're on p=quarantine and wondering if p=reject is safe
p=quarantine sends non-aligned mail to spam, p=reject makes receiving servers refuse it outright. Reject is stronger but less forgiving for send paths you forget about. Only move once your reports have been clean for weeks.
Try this first
- 1Read at least four weeks of DMARC aggregate reports via a tool like dmarcian, Postmark DMARC, Valimail or Mailhardener. You want 100 percent of legitimate volume showing SPF and DKIM aligned pass.
- 2Inventory all send sources that aren't aligned. These are often old scanners, MFP printers, a legacy CRM, or an ESP without DKIM config. Fix those first.
- 3Set pct=50 with p=reject first so half the traffic is rejected. Monitor for two weeks.
- 4If reports stay stable, move to pct=100 with p=reject. Drop pct because default is 100.
- 5Keep rua= reports going after cutover. A new SaaS sending on your behalf can show up without warning.
When to bring us in
If you send marketing and transactional via different infrastructure or you're mid-M&A, reject on the apex isn't always wise. Split paths first.
See also
- Our emails land in spam for some recipientsAlmost always an SPF, DKIM, or DMARC setting that is wrong or missing, or a sender name that mimics a well-known brand.
- Someone reports receiving phishing emails "from us"Read: spoofing. Someone is abusing your sender name, not necessarily your actual mailbox.
- An email bounces (NDR): delivery failedThe NDR text usually states the exact reason. Reading it is step one.
None of the above fits?
Describe your situation below. We pass your input plus the steps you already saw to our AI and return tailored next-step advice. If it's too risky to DIY, we'll say so.
Or skip the DIY entirely
Our Managed IT clients do not look these things up. One point of contact, a fixed monthly price, resolved within working hours.