Quarantine or Reject

"Which should I use, p=quarantine, or p=reject?"

To some extent, this depends on your comfort with the results of policy enforcement. However for the most part your goal probably should be use of p=reject. Read further for more explanation on this.

Use of p=reject will cause DMARC-compliant receivers to completely reject messages which fail DMARC. Senders of those messages immediately receive a bounce message regarding the failure. This is tremendously valuable feedback for senders, which might otherwise never know that their traffic is failing authentication measures.

Use of p=quarantine will cause DMARC-compliant receivers to perform a "quarantine" action on messages which fail DMARC.  How this is implemented varies depending on the receiving environment: In the case of large inbox providers, the result of the quarantine action is that messages are delivered to the recipient's spam folder.  In the case of some MTA hosts which perform DMARC enforcement, the quarantine result is that messages are posted to a system-level quarantine, accessible only by MTA administrators.  (those quarantine messages are usually set for automatic deletion after 30 days, and unless investigations are requested they are never reviewed) In all instances of a quarantine action being enforced, the sender does not receive feedback on the failure.  (DMARC reports sent to the domain owner do indicate failures)

Due to the inconsistent quarantine behaviour and lack of feedback in the case of p=quarantine, use of that enforcement should be avoided unless the domain owner frequently and consistently reviews authentication results available via DMARC rua reports.

For a more comprehensive article on this topic, please see https://dmarcian.com/policy-modes-quarantine-vs-reject/