Best DMARC Policy for Small Business: none, quarantine, or reject?
Which DMARC policy should a small business actually run? A decision guide by risk level and industry, not just the none-to-reject rollout steps.
Best DMARC Policy for Small Business: none, quarantine, or reject?
TL;DR: For most small businesses,
p=rejectis the right end state: it's the only policy that actually stops someone from spoofing your domain.p=quarantineis a reasonable permanent choice only if you can't fully verify every legitimate sender.p=noneshould never be a long-term policy, since it's monitoring-only and blocks nothing. The decision isn't which policy to start with (alwaysp=none); it's which policy to run once your reports are clean, and that depends on how much spoofing risk your business can tolerate.
DMARC's rollout path (start at p=none, move to p=quarantine, finish at p=reject) is well documented. What's less clear is the actual question business owners ask once the monitoring window ends: which policy should I actually run, permanently? This guide answers that, by business type and risk level, not by rollout step.
For the DNS setup itself (records, syntax, registrar steps), see SPF, DKIM & DMARC: The Complete Setup Guide. This post assumes your records are already published and focuses only on the policy decision.
The three DMARC policies, and what "best" actually means here
| Policy | What it does | Should this be your permanent policy? |
|---|---|---|
p=none | Monitors and reports; blocks nothing | No, this is a temporary observation phase, never an end state |
p=quarantine | Sends failing mail to the recipient's spam folder | Sometimes, acceptable if you can't verify 100% of legitimate senders |
p=reject | Bounces failing mail before it's delivered at all | Yes, for almost every business: the only policy that actually stops spoofing |
"Best" doesn't mean "most aggressive" by default. It means the strictest policy your sending setup can support without breaking legitimate mail. For most small businesses, that's p=reject, but the honest path there runs through p=quarantine first, and a few real situations justify staying at p=quarantine longer than the standard 4-8 week rollout.
Decision frame: which policy fits your business
Run p=reject if:
- You send from a small, known set of systems (your email host, maybe one marketing tool, one CRM) that you can fully inventory
- You handle customer payments, invoices, or sensitive data: the businesses attackers most want to spoof for phishing
- You're in a regulated or trust-sensitive field: law, accounting, finance, healthcare, real estate
- Your DMARC reports have been clean (no legitimate mail failing) for at least 2-4 weeks at
p=quarantine
Stay at p=quarantine longer if:
- You send from many third-party tools (multiple marketing platforms, several SaaS integrations, contractor-run campaigns) and can't yet confirm all of them are SPF/DKIM-aligned
- You're actively onboarding a new sending tool and don't want a misconfiguration to bounce real mail during the transition
- Your reports still show occasional legitimate failures, since
p=rejectat this stage would drop real customer-facing email
p=none is never the answer for "what should I run":
It's the correct starting policy for every domain, for 2-4 weeks, purely to collect reports. If you're asking "which policy is best," you've already moved past the point where p=none is the right permanent answer, since it provides zero protection against spoofing, which is the entire point of DMARC.
Best DMARC policy by business type
| Business type | Recommended end-state policy | Why |
|---|---|---|
| Law firms, accountants, consultants | p=reject | High-trust, high-impersonation-value targets. Clients act on emails claiming to be from you (wire instructions, document requests). Sending infrastructure is usually simple (one email host, maybe one e-signature tool), making full SPF/DKIM alignment easy to verify. |
| E-commerce / retail | p=reject, verified carefully first | Multiple senders are common (email host, cart platform, shipping notifications, marketing automation). Inventory all of them before enforcing, but the payment-adjacent nature makes spoofing risk high enough to justify the effort. |
| Solo consultants / freelancers | p=reject | Simplest sending setup of any business type: usually just one email host and maybe one invoicing tool. Fastest, easiest path to full enforcement. |
| Agencies managing client domains | p=reject per domain, rolled out individually | Each client domain needs its own DMARC record and its own monitoring window. Don't copy one policy across domains with different sender setups. |
| Nonprofits and associations | p=quarantine acceptable if using several fundraising/event tools | More third-party sending tools than a typical SMB (donation platforms, event software, volunteer coordination). Verify each is aligned before pushing to p=reject, but don't stop at p=none. |
MailAfiniti
Your own domain email, set up in minutes
We handle all the technical bits. You just pick your domain and go.
What happens if you pick the wrong policy
Staying at p=none too long: zero protection. Attackers can spoof your domain indefinitely while you collect reports you're not acting on. p=none with reports nobody reads is functionally the same as having no DMARC record at all.
Jumping to p=reject too fast: legitimate mail bounces. If a marketing tool or CRM isn't properly aligned with SPF or DKIM, p=reject will silently drop real customer emails, including invoices, password resets, and marketing campaigns, with no warning beyond a bounce report most people never check. This is the single most common DMARC mistake and the reason the rollout window exists.
Staying at p=quarantine indefinitely without a reason: partial protection. Spoofed mail lands in spam instead of the inbox, which stops most casual phishing but doesn't stop a targeted attack. Some recipients check spam folders, and quarantine doesn't carry the same domain-reputation signal to receiving mail servers that full enforcement does.
How to check if you're ready to move to a stricter policy
Before tightening from p=quarantine to p=reject, confirm:
- Your DMARC reports show 100% alignment for at least 2-4 consecutive weeks: every legitimate sender passes SPF or DKIM.
- You've inventoried every sending source: email host, marketing platform, CRM, help desk, invoicing tool, and anything else that sends mail using your domain.
- No unexplained failures remain in your
ruareports. An unexplained failure usually means a sender you forgot to authorize, not an attacker, but confirm before assuming either.
Not sure what your reports are actually saying? MailAfiniti's free DMARC record generator builds the correct policy string for wherever you are in this process and recommends the next step based on your current setup.
FAQ
What DMARC policy should a small business use?
p=reject should be the end goal for almost every small business, since it's the only policy that fully stops domain spoofing. Start at p=none to monitor for 2-4 weeks, move to p=quarantine once legitimate senders are identified, then reject once reports are clean. Businesses with complex, multi-tool sending setups (e-commerce, nonprofits with several fundraising platforms) may reasonably stay at p=quarantine longer while verifying every sender.
Is p=quarantine enough, or do I need p=reject?
p=quarantine sends failing mail to spam, which stops most casual phishing but not a targeted attack, since some recipients check spam folders and click anyway. p=reject bounces failing mail before delivery, which is the only policy that fully removes that risk. If your business handles payments, sensitive documents, or client trust (law, finance, accounting), p=reject is worth the extra setup verification.
How do I know when I'm ready to move from quarantine to reject?
Check your DMARC aggregate (rua) reports for 2-4 consecutive weeks. If every legitimate sender is passing SPF or DKIM alignment with no unexplained failures, you're ready. If you still see failures from a marketing tool or CRM you recognize, fix that sender's authentication first — don't reject until it's resolved.
Can I set different DMARC policies for different subdomains?
Yes. DMARC supports a separate policy for subdomains via the sp= tag (for example, sp=reject while the root domain runs p=quarantine). This is useful if a subdomain (like a marketing or testing subdomain) has different senders than your main domain and needs its own rollout timeline.
What's the risk of never moving past p=none?
None of DMARC's protection. p=none only reports on spoofing attempts, it doesn't stop them, so mail claiming to be from your domain still reaches the recipient's inbox exactly as if you had no DMARC record at all. The reporting is only useful if you act on it by tightening to p=quarantine and eventually p=reject.
Related reading
- SPF, DKIM & DMARC: The Complete Setup Guide — full DNS setup, registrar steps, and the rollout mechanics this post builds on
- Emails Still Going to Spam After SPF, DKIM & DMARC? — when authentication passes but deliverability still fails
- Email Security Threats — what spoofing and BEC attacks actually look like without DMARC enforcement
- Email Deliverability Guide — inbox placement factors beyond authentication
MailAfiniti
Stop using Gmail for your business
From $1.50/mo. Your domain, your email, your reputation. Up and running today.
No credit card required to start.