10,588 Australian domains analysed. Most fail basic email authentication. [2026 Report]

Understanding Policy Phases

None, Quarantine, and Reject explained

5 min read DMARC Management

Understanding DMARC Policy Phases

DMARC policies tell receiving email servers what to do with emails that fail authentication. DMARC Busta guides you through three phases:

1

Monitor (p=none)

Emails are delivered normally regardless of authentication results. You receive reports to see what's happening without affecting delivery.

Use when: Starting out, collecting data, identifying legitimate sources

2

Quarantine (p=quarantine)

Emails that fail authentication are sent to spam/junk folders. Legitimate email still gets through, but suspicious email is flagged.

Use when: 95%+ compliance achieved, sources are stable

3

Reject (p=reject)

Emails that fail authentication are blocked completely. Maximum protection against spoofing and phishing.

Use when: 99%+ compliance, all sources verified, stable for 30+ days

Why we don't use the pct= tag

Older DMARC guides suggest staging enforcement with the pct= tag (applying the policy to only a percentage of email). DMARC Busta does not: the tag is deprecated in DMARCbis, and mailbox providers have always honored it inconsistently — some apply the full policy regardless. Instead, each policy step is applied fully, and safety comes from the monitoring window, pass-rate checks, and automatic rollback between steps.