DMARC for Cold Email: p=none vs quarantine vs reject (What to Choose and When)

For startups and sales teams relying on cold email outreach, inbox placement is the difference between a new pipeline and wasted effort. One of the most misunderstood factors in deliverability is your DMARC policy. If you’ve ever wondered why some emails land in spam or vanish altogether, your DMARC (Domain-based Message Authentication, Reporting & Conformance) settings could be the culprit or your secret weapon.
This article will help you understand what DMARC is, how its policies (p=none, quarantine, reject) work, and critically, how to choose the right policy for every stage of your cold email journey. You’ll learn how to set up and scale your outreach, avoid costly mistakes, and keep your sender reputation healthy, all while protecting your domain from spoofing and phishing attacks.

What is DMARC and Why Does it Matter for Cold Email?

DMARC is a DNS record that works alongside SPF (Sender Policy Framework) and DKIM (DomainKeys Identified Mail) to authenticate your emails. Think of DMARC as the traffic cop for your domain: it tells receiving servers what to do if a message fails authentication checks, and reports back on suspicious activity.

• SPF specifies which mail servers can send on behalf of your domain.
• DKIM adds a digital signature to outgoing emails, ensuring the message hasn’t been altered in transit.
• DMARC ties it all together, instructing mailbox providers (like Gmail and Outlook) on how to handle messages that don’t pass SPF and DKIM checks.

In cold email, where you’re often sending to new contacts at scale, authentication is non-negotiable. Without DMARC, your domain is vulnerable to spoofing, and your emails are more likely to be flagged as spam or blocked entirely. But with the right DMARC policy, you can maximize deliverability and protect your brand.

DMARC Policy Options: p=none, quarantine, reject

1. p=none

• What it does: No enforcement. Failing emails are delivered as usual, but you receive DMARC reports about authentication failures.
• When to use:
  
  • When first setting up DMARC
  • During the domain or inbox warm-up
  • When monitoring for issues before enforcing stricter policies
• Pros: Maximizes deliverability, ideal for early-stage outreach or when onboarding new inboxes.
• Cons: Offers no real protection; your domain is still vulnerable to spoofing and phishing.

Example scenario:
You’re launching a new cold email campaign with fresh domains and inboxes. Start with p=none to collect DMARC reports and monitor for authentication issues without risking your emails being blocked.

2. p=quarantine

• What it does: Emails that fail DMARC checks are sent to recipients’ spam or junk folders.
• When to use:
  
  • After monitoring with p=none and fixing authentication issues
  • When you want to start enforcing DMARC without risking legitimate emails being blocked outright
• Pros: Provides moderate protection while still allowing some margin for errors.
• Cons: Some legitimate emails could end up in spam if SPF/DKIM aren’t perfectly aligned.

Example scenario:
After a few weeks of successful sending and clean DMARC reports, you move to p=quarantine to start protecting your domain, knowing that any issues will likely result in spam placement rather than outright rejection.

3. p=reject

• What it does: Emails that fail DMARC checks are rejected outright and not delivered.
• When to use:
  
  • After thoroughly monitoring and fixing all authentication issues
  • For mature domains with a stable, well-tested sending infrastructure
  • When domain security and brand protection are top priorities
• Pros: Maximum protection against spoofing and phishing.
• Cons: Any misconfiguration can result in legitimate emails being blocked, potentially impacting your outreach.

Example scenario:
Your domain has a long, clean sending history, your SPF/DKIM are perfectly aligned, and you’re ready to lock down your domain. Move to p=reject to prevent abuse and maximize trust with mailbox providers.

How DMARC Policy Impacts Cold Email Deliverability

The right DMARC policy protects your domain, but it can also make or break your deliverability. Here’s how each policy affects your cold email efforts:

• p=none: Best for monitoring and troubleshooting, not for long-term use. Gives you insight into authentication issues without risking deliverability.
• p=quarantine: A middle ground. If you’ve fixed most issues, this policy helps catch problems early, most unauthenticated emails will still reach recipients (albeit in spam).
• p=reject: The gold standard for security, but only safe when you’re confident in your setup. Any misalignment in SPF/DKIM will result in lost emails.

Key takeaway:
For cold email, especially when scaling, start with p=none, fix all issues, then progress to quarantine and, eventually, reject as your setup matures.

Step-by-Step: Implementing DMARC for Cold Email Outreach

Step 1: Set Up SPF and DKIM

Before touching DMARC, ensure your SPF and DKIM records are correctly configured for all sending domains and inboxes. This is especially important if you use multiple providers (Google Workspace, Microsoft 365, shared or dedicated IPs).

Tips:

• Use only authorized sending services in your SPF.
• Generate unique DKIM keys for each domain/mailbox provider.
• Test your records using online tools (e.g., MXToolbox, DMARC Analyzer).

Step 2: Add a DMARC Record with p=none

Start with a DMARC policy of p=none. This will not affect deliverability but will generate reports on authentication failures.

Example DMARC record:

v=DMARC1; p=none; rua=mailto:your-email@yourdomain.com; ruf=mailto:your-email@yourdomain.com; fo=1

• rua and ruf are addresses to receive aggregate and forensic reports.

Step 3: Monitor DMARC Reports

Review DMARC reports regularly, look for authentication failures, misalignments, or unexpected senders. Address any issues immediately.

What to watch for:

• Emails sent from unauthorized sources
• SPF or DKIM misalignment
• High rates of authentication failures

Step 4: Move to p=quarantine

Once your reports are clean and you’re confident in your configuration, update your DMARC policy to p=quarantine.

Example:
v=DMARC1; p=quarantine; rua=mailto:your-email@yourdomain.com; ruf=mailto:your-email@yourdomain.com; fo=1

Continue monitoring and troubleshooting any issues that arise.

Step 5: Progress to p=reject

When you’re certain your email authentication is flawless, and all legitimate senders are properly configured, set your policy to p=reject.

Example:

v=DMARC1; p=reject; rua=mailto:your-email@yourdomain.com; ruf=mailto:your-email@yourdomain.com; fo=1

This will provide the highest level of protection and maximize your sender reputation.

Best Practices for Scaling Cold Email with DMARC

1. Always start with p=none for new domains/inboxes.
2. Warm up new inboxes carefully: Start with low sending volumes and increase gradually.
3. Monitor DMARC reports weekly: Use a dashboard or reporting tool for visibility.
4. Document all DNS changes: Keep a change log for troubleshooting.
5. Educate your team: Make sure everyone understands the basics of SPF, DKIM, and DMARC.
6. Separate cold email from regular business email: Use subdomains or dedicated domains for outreach.
7. Align all records: Ensure SPF, DKIM, and DMARC are properly set up for every sending source.
8. Don’t rush to p=reject: Only move to strict enforcement when you’re sure everything is working.

Real-World Scenarios: DMARC in Action

Scenario 1:
A SaaS startup launches a cold email campaign from a new subdomain. They set DMARC to p=none and discover through reports that their marketing automation tool isn’t signing emails with DKIM. By fixing this, they avoid deliverability issues before scaling.

Scenario 2:
A lead generation agency uses multiple inboxes across several domains. By monitoring DMARC reports, they catch a misconfigured SPF record that would have sent hundreds of emails to spam under a stricter policy.

Scenario 3:
A mature sales team upgrades to p=reject after months of clean DMARC reports and sees a measurable increase in inbox placement rates, thanks to improved trust from mailbox providers.

Common Mistakes to Avoid

• Jumping straight to p=reject: Without monitoring, you risk blocking legitimate outreach.
• Ignoring DMARC reports: These are your early warning system, use them!
• Misconfigured SPF/DKIM: Even a small typo can tank your deliverability.
• Using the same domain for cold and business email: Always separate to protect your main domain’s reputation.
• Failing to update records when changing providers: Each new tool or mailbox needs proper authentication.

Frequently Asked Questions

Q: Does DMARC guarantee inbox placement?
A: No, but it’s a critical foundation. Proper authentication builds trust with mailbox providers, which is essential for deliverability.

Q: How long should I stay on p=none?
A: At least 2–4 weeks, or until you have several weeks of clean DMARC reports.

Q: Can I use DMARC with any email provider?
A: Yes, as long as your provider supports SPF and DKIM. Mailpool supports Google Workspace, Microsoft 365, shared and dedicated IPs, and more.

Conclusion

DMARC isn’t just a checkbox; it’s a strategic lever for cold email success. By understanding and properly implementing DMARC policies, you can scale your outreach, protect your domain, and ensure your emails reach the right inboxes.
Ready to take your cold email deliverability to the next level?
Book a demo with Mailpool and see how our platform can help you scale safely, monitor your authentication, and maximize your results.