Skip to main content
BlogBest DMARC Policy for Small Business: none, quarantine, or reject?
Spf dkim dmarcDmarc policy

Best DMARC Policy for Small Business: none, quarantine, or reject?

Which DMARC policy should a small business actually run? A decision guide by risk level and industry, not just the none-to-reject rollout steps.

H
Hassan Razzaq

Email Infrastructure & DevOps Specialist

Updated Jul 14, 2026
8 min read

Best DMARC Policy for Small Business: none, quarantine, or reject?

TL;DR: For most small businesses, p=reject is the right end state: it's the only policy that actually stops someone from spoofing your domain. p=quarantine is a reasonable permanent choice only if you can't fully verify every legitimate sender. p=none should never be a long-term policy, since it's monitoring-only and blocks nothing. The decision isn't which policy to start with (always p=none); it's which policy to run once your reports are clean, and that depends on how much spoofing risk your business can tolerate.

DMARC's rollout path (start at p=none, move to p=quarantine, finish at p=reject) is well documented. What's less clear is the actual question business owners ask once the monitoring window ends: which policy should I actually run, permanently? This guide answers that, by business type and risk level, not by rollout step.

For the DNS setup itself (records, syntax, registrar steps), see SPF, DKIM & DMARC: The Complete Setup Guide. This post assumes your records are already published and focuses only on the policy decision.


The three DMARC policies, and what "best" actually means here

PolicyWhat it doesShould this be your permanent policy?
p=noneMonitors and reports; blocks nothingNo, this is a temporary observation phase, never an end state
p=quarantineSends failing mail to the recipient's spam folderSometimes, acceptable if you can't verify 100% of legitimate senders
p=rejectBounces failing mail before it's delivered at allYes, for almost every business: the only policy that actually stops spoofing

"Best" doesn't mean "most aggressive" by default. It means the strictest policy your sending setup can support without breaking legitimate mail. For most small businesses, that's p=reject, but the honest path there runs through p=quarantine first, and a few real situations justify staying at p=quarantine longer than the standard 4-8 week rollout.


Decision frame: which policy fits your business

Run p=reject if:

  • You send from a small, known set of systems (your email host, maybe one marketing tool, one CRM) that you can fully inventory
  • You handle customer payments, invoices, or sensitive data: the businesses attackers most want to spoof for phishing
  • You're in a regulated or trust-sensitive field: law, accounting, finance, healthcare, real estate
  • Your DMARC reports have been clean (no legitimate mail failing) for at least 2-4 weeks at p=quarantine

Stay at p=quarantine longer if:

  • You send from many third-party tools (multiple marketing platforms, several SaaS integrations, contractor-run campaigns) and can't yet confirm all of them are SPF/DKIM-aligned
  • You're actively onboarding a new sending tool and don't want a misconfiguration to bounce real mail during the transition
  • Your reports still show occasional legitimate failures, since p=reject at this stage would drop real customer-facing email

p=none is never the answer for "what should I run": It's the correct starting policy for every domain, for 2-4 weeks, purely to collect reports. If you're asking "which policy is best," you've already moved past the point where p=none is the right permanent answer, since it provides zero protection against spoofing, which is the entire point of DMARC.


Best DMARC policy by business type

Business typeRecommended end-state policyWhy
Law firms, accountants, consultantsp=rejectHigh-trust, high-impersonation-value targets. Clients act on emails claiming to be from you (wire instructions, document requests). Sending infrastructure is usually simple (one email host, maybe one e-signature tool), making full SPF/DKIM alignment easy to verify.
E-commerce / retailp=reject, verified carefully firstMultiple senders are common (email host, cart platform, shipping notifications, marketing automation). Inventory all of them before enforcing, but the payment-adjacent nature makes spoofing risk high enough to justify the effort.
Solo consultants / freelancersp=rejectSimplest sending setup of any business type: usually just one email host and maybe one invoicing tool. Fastest, easiest path to full enforcement.
Agencies managing client domainsp=reject per domain, rolled out individuallyEach client domain needs its own DMARC record and its own monitoring window. Don't copy one policy across domains with different sender setups.
Nonprofits and associationsp=quarantine acceptable if using several fundraising/event toolsMore third-party sending tools than a typical SMB (donation platforms, event software, volunteer coordination). Verify each is aligned before pushing to p=reject, but don't stop at p=none.

MailAfiniti

Your own domain email, set up in minutes

We handle all the technical bits. You just pick your domain and go.

Start Free Trial

What happens if you pick the wrong policy

Staying at p=none too long: zero protection. Attackers can spoof your domain indefinitely while you collect reports you're not acting on. p=none with reports nobody reads is functionally the same as having no DMARC record at all.

Jumping to p=reject too fast: legitimate mail bounces. If a marketing tool or CRM isn't properly aligned with SPF or DKIM, p=reject will silently drop real customer emails, including invoices, password resets, and marketing campaigns, with no warning beyond a bounce report most people never check. This is the single most common DMARC mistake and the reason the rollout window exists.

Staying at p=quarantine indefinitely without a reason: partial protection. Spoofed mail lands in spam instead of the inbox, which stops most casual phishing but doesn't stop a targeted attack. Some recipients check spam folders, and quarantine doesn't carry the same domain-reputation signal to receiving mail servers that full enforcement does.


How to check if you're ready to move to a stricter policy

Before tightening from p=quarantine to p=reject, confirm:

  1. Your DMARC reports show 100% alignment for at least 2-4 consecutive weeks: every legitimate sender passes SPF or DKIM.
  2. You've inventoried every sending source: email host, marketing platform, CRM, help desk, invoicing tool, and anything else that sends mail using your domain.
  3. No unexplained failures remain in your rua reports. An unexplained failure usually means a sender you forgot to authorize, not an attacker, but confirm before assuming either.

Not sure what your reports are actually saying? MailAfiniti's free DMARC record generator builds the correct policy string for wherever you are in this process and recommends the next step based on your current setup.


FAQ

What DMARC policy should a small business use?

p=reject should be the end goal for almost every small business, since it's the only policy that fully stops domain spoofing. Start at p=none to monitor for 2-4 weeks, move to p=quarantine once legitimate senders are identified, then reject once reports are clean. Businesses with complex, multi-tool sending setups (e-commerce, nonprofits with several fundraising platforms) may reasonably stay at p=quarantine longer while verifying every sender.

Is p=quarantine enough, or do I need p=reject?

p=quarantine sends failing mail to spam, which stops most casual phishing but not a targeted attack, since some recipients check spam folders and click anyway. p=reject bounces failing mail before delivery, which is the only policy that fully removes that risk. If your business handles payments, sensitive documents, or client trust (law, finance, accounting), p=reject is worth the extra setup verification.

How do I know when I'm ready to move from quarantine to reject?

Check your DMARC aggregate (rua) reports for 2-4 consecutive weeks. If every legitimate sender is passing SPF or DKIM alignment with no unexplained failures, you're ready. If you still see failures from a marketing tool or CRM you recognize, fix that sender's authentication first — don't reject until it's resolved.

Can I set different DMARC policies for different subdomains?

Yes. DMARC supports a separate policy for subdomains via the sp= tag (for example, sp=reject while the root domain runs p=quarantine). This is useful if a subdomain (like a marketing or testing subdomain) has different senders than your main domain and needs its own rollout timeline.

What's the risk of never moving past p=none?

None of DMARC's protection. p=none only reports on spoofing attempts, it doesn't stop them, so mail claiming to be from your domain still reaches the recipient's inbox exactly as if you had no DMARC record at all. The reporting is only useful if you act on it by tightening to p=quarantine and eventually p=reject.


MailAfiniti

Stop using Gmail for your business

From $1.50/mo. Your domain, your email, your reputation. Up and running today.

Start Free Trial

No credit card required to start.