DMARC has three policy levels, and they tell a story about organisational courage. p=none means "just send me reports." p=quarantine means "put failures in spam." p=reject means "refuse them outright." The standard's designers imagined a ladder: monitor, then quarantine, then reject. As of the 2026-07-05 snapshot of our daily DNS scan, the top of that ladder just lost its majority among enforcers: in June 2026, 114,824 domains published p=quarantine against 114,390 on p=reject — the first quarantine-over-reject crossover in the dataset's history.
The numbers come from 459,124 DMARC records observed across the Tranco top-1M, measured daily via OpenINTEL since 2016. The full policy breakdown — including the 234,559 domains (51%) still parked at p=none — updates nightly in our daily email infrastructure report.
Why the crossover happened
Both policies have grown steadily — enforcement in absolute terms has risen throughout the observation window, and 47.16% of DMARC domains now enforce (quarantine or reject at pct=100). The crossover is about the mix: new enforcers are disproportionately choosing quarantine and staying there. Three forces drive that choice:
- Asymmetric risk. A quarantined false positive lands in a spam folder, where a human can still rescue it. A rejected false positive bounces — visibly, loudly, sometimes to a customer or a board member. For the admin signing off on the change, quarantine caps the personal downside; reject does not.
- Diminishing perceived returns. Quarantine already removes the main spoofing pain: forged mail stops appearing in inboxes. Once the phishing complaints stop, the internal pressure that funded the DMARC project evaporates, and the reject migration quietly drops off the roadmap.
- Compliance thresholds stop at "not none." The bulk-sender requirements that Google and Yahoo introduced in February 2024 pushed thousands of organisations to publish DMARC, but policies beyond monitoring were their own decision — and many checklists treat quarantine as "done." We analyse the mandate's full effect in our two-year retrospective.
Is stopping at quarantine actually bad?
Honest answer: it depends whose mail is being forged. Against commodity spoofing, quarantine is nearly as effective as reject — the forged message goes to spam either way at most large mailbox providers. The gaps are at the edges:
- Spam folders still get read. A targeted phishing message sitting in quarantine can still be clicked by a user who checks their junk folder. Reject removes that possibility entirely.
- Some receivers treat quarantine softly. The policy is a request, not a command; a receiver may downgrade quarantine to "deliver with suspicion," while reject leaves less room for interpretation.
- BIMI requires reject. Brands that want their logo displayed next to messages need to finish the ladder — one of the few concrete carrots for going all the way.
Meanwhile, the elephant in the dataset is not the quarantine/reject split at all: it is the 51% of DMARC publishers enforcing nothing. A domain at p=none gets visibility but zero protection — we dissect that illusion separately.
When your recipient's domain — or more precisely, the domains you send from — sit at quarantine, alignment failures don't bounce. They land in spam folders silently. Your delivery dashboard says "delivered," your open rate says otherwise, and nothing in the SMTP transaction tells you which. That failure mode is invisible without placement testing.
The marketer's checklist in a quarantine-majority world
The crossover changes the texture of deliverability failures: expect fewer hard bounces and more silent spam-folder placements. Four practical responses:
- Verify SPF and DKIM alignment for every sending stream — especially third-party tools sending as your domain. Under quarantine, a misaligned tool doesn't error out; it just rots in junk folders.
- Read your own DMARC aggregate reports. They exist precisely to show which sources fail alignment before you tighten policy.
- If you own the DMARC policy: get to
p=quarantineatpct=100, then treat reject as a scheduled milestone with a date, not an aspiration. The ladder has a top for a reason. - Test placement, not just delivery. A seed test across major mailbox providers is the only direct way to see quarantine-style failures — messages that were accepted and then filed into spam.