DNS & Setup

DMARC p none to p quarantine migration. Step by step with dates

dmarc_migration · 2026-04-09T00:00:00Z

Exact timeline for migrating DMARC policy from p equals none to p equals quarantine without breaking deliverability. Day 1: set p none and monitor. Day 14:

dmarc_migration · 2026-04-09 · 1,890 views

Moving DMARC policy from p=none to p=quarantine is one of those changes that looks simple until you do it wrong and wreck your deliverability for a week. Here's the exact migration timeline I use across client domains.

Day 1: Set p=none and start monitoring. If you don't have DMARC at all yet, add a TXT record with v=DMARC1; p=none; rua=mailto:dmarc@yourdomain.com. The p=none policy tells receiving servers "report what you see but don't take action." This is the observation phase. You need real data before making policy changes.

Day 14: Check DMARC reports in Google Postmaster Tools. Two weeks of p=none gives you enough report data to understand your email flow. Look for SPF authentication rate (should be 95 percent+) and DKIM authentication rate (should be 95 percent+). If either is below 95 percent, you have alignment issues to fix before tightening policy.

Day 30: Move to p=quarantine if authentication is passing. If SPF and DKIM are both above 95 percent alignment, move your policy from p=none to p=quarantine. This tells receivers to send failing messages to spam instead of the inbox. Bump the percentage gradually: start with pct=25 for a week, then 50, then 100.

Day 60: Assess and consider p=reject. After a month on p=quarantine at 100 percent, check reports again. If authentication is still passing cleanly and you're not seeing legitimate messages being quarantined, you can consider moving to p=reject. p=reject is the strongest policy and tells receivers to bounce failing messages entirely.

Risks of moving too fast. The biggest mistake I see is people who hear that DMARC is important, set p=quarantine or p=reject immediately, and then watch their deliverability collapse because they had SPF or DKIM alignment issues they didn't know about. Every legitimate email that fails authentication gets quarantined or rejected. Transactional emails, forwarded emails, list messages. Everything breaks.

The monitoring phase isn't optional. The data you get from p=none is the only way to safely tighten policy. Skip that step and you're making changes blind.