Defaults.Exposed

Defaults.Exposed › Reports

"quarentine", "ninguno", "non": The Internet's Most Common DMARC Typos (2026)

Published 2026-06-29

Figures as of 2026-06-29 · methodology v7. Aggregate census data: the p= policy token of every published _dmarc record across 261 million graded domains, deduped per domain. See how we grade.

Part of the DMARC pillar — DMARC adoption, maturity and league tables, measured across the whole census.

Setting up DMARC is fiddly, and the data shows it: 48,648 domains published a DMARC record whose policy is misspelled, written in the wrong language, or missing entirely — so it does nothing. They did the hard part (publishing a record) and fell at the last word. A DMARC policy only protects you if it reads exactly p=quarantine or p=reject; anything else, and receiving mail servers ignore it and the domain can still be impersonated.

What a DMARC typo looks like

DMARC has exactly three valid policies: none (monitor only), quarantine, and reject. The last two are the ones that actually stop email impersonation. But the policy is just text a human types into a DNS record — and across 65 million DMARC records, here are the most common things people typed instead of a valid policy:

Published instead of a valid policyDomains
(no-p-token)31,553
quarentine4,806
policy4,134
quarantaine1,321
ninguno380
non351

Two kinds of mistake show up. Structural ones — a record with no p= token at all, or the literal word policy or a bare p — mean the syntax was fumbled. Linguistic ones are more human: quarentine and quarantaine are just misspellings of “quarantine”, while ninguno (Spanish for “none”) and non (French) are owners writing the policy word in their own language. Every one of them is invalid, and every one of them means the same thing: no protection, despite a DMARC record being present.

Why this matters more than it looks

A misspelled policy is arguably worse than no DMARC at all, because it looks done. The record exists; a quick glance — or a basic compliance checkbox — says “DMARC: present.” But receivers reject anything that isn’t a valid policy keyword, so the domain stays fully spoofable. The owner believes they’re protected; attackers know they’re not.

For context, only 10.59% of all domains reach a valid enforcing policy (27,639,358 domains). The 48,648 with a broken policy are a small slice of the DMARC records that exist — but they’re the most avoidable failure in email security: a single mistyped word between a business and a working defence.

Frequently asked questions

What are the valid DMARC policies? Exactly three: p=none (monitor only, no protection), p=quarantine, and p=reject. Only the last two stop impersonation. Anything else — a misspelling, another language, or a missing p= — is invalid and ignored.

Why would “quarentine” or “ninguno” appear in a DMARC record? Human error. quarentine/quarantaine are misspellings of “quarantine”; ninguno (Spanish) and non (French) are owners writing the word in their own language. DMARC only accepts the exact English keywords, so all of these silently fail.

Is a misspelled DMARC policy worse than none? In effect, yes — it provides the same zero protection but looks like a configured control, so the problem goes unnoticed.

How do I know my DMARC policy is valid? Check your domain (below) — it reads your actual published policy and tells you whether it’s enforcing, monitor-only, or invalid.

Check your DMARC policy is actually valid

A working record is one mistyped word away from a broken one. Check yours privately and free — you’ll see your exact policy and how to fix it.

Check your domain → · Fix DMARC → · Can someone spoof your domain? → · Aggregate data only. Data stored and processed in the EU.