diff --git a/opendmarc/opendmarc-config.h b/opendmarc/opendmarc-config.h
index 28f605e..ff4983d 100644
--- a/opendmarc/opendmarc-config.h
+++ b/opendmarc/opendmarc-config.h
@@ -32,6 +32,7 @@ struct configdef dmarcf_config[] =
 	{ "FailureReportsOnNone",	CONFIG_TYPE_BOOLEAN,	FALSE },
 	{ "FailureReportsSentBy",	CONFIG_TYPE_STRING,	FALSE },
 	{ "HistoryFile",		CONFIG_TYPE_STRING,	FALSE },
+	{ "HoldQuarantinedMessages",	CONFIG_TYPE_BOOLEAN,	FALSE },
 	{ "IgnoreAuthenticatedClients",	CONFIG_TYPE_BOOLEAN,	FALSE },
 	{ "IgnoreHosts",		CONFIG_TYPE_STRING,	FALSE },
 	{ "IgnoreMailFrom",		CONFIG_TYPE_STRING,	FALSE },
diff --git a/opendmarc/opendmarc.c b/opendmarc/opendmarc.c
index 0179f4d..5aade55 100644
--- a/opendmarc/opendmarc.c
+++ b/opendmarc/opendmarc.c
@@ -155,6 +155,7 @@ struct dmarcf_config
 	_Bool			conf_spfselfvalidate;
 #endif /* WITH_SPF */
 	_Bool			conf_ignoreauthclients;
+	_Bool			conf_holdquarantinedmessages;
 	unsigned int		conf_refcnt;
 	unsigned int		conf_dnstimeout;
 	struct config *		conf_data;
@@ -1297,6 +1298,10 @@ dmarcf_config_load(struct config *data, struct dmarcf_config *conf,
 		                  &conf->conf_recordall,
 		                  sizeof conf->conf_recordall);
 
+		(void) config_get(data, "HoldQuarantinedMessages",
+		                  &conf->conf_holdquarantinedmessages,
+		                  sizeof conf->conf_holdquarantinedmessages);
+
 		(void) config_get(data, "IgnoreAuthenticatedClients",
 		                  &conf->conf_ignoreauthclients,
 		                  sizeof conf->conf_ignoreauthclients);
@@ -3064,7 +3069,8 @@ mlfi_eom(SMFICTX *ctx)
 		}
 		else
 		{
-			if (conf->conf_rejectfail && random() % 100 < pct)
+			if (conf->conf_rejectfail && random() % 100 < pct &&
+			    conf->conf_holdquarantinedmessages)
 			{
 				snprintf(replybuf, sizeof replybuf,
 					 "quarantined by DMARC policy for %s",
diff --git a/opendmarc/opendmarc.conf.5.in b/opendmarc/opendmarc.conf.5.in
index 9ee16ae..565e992 100644
--- a/opendmarc/opendmarc.conf.5.in
+++ b/opendmarc/opendmarc.conf.5.in
@@ -167,6 +167,13 @@ rather periodically imported into a relational database from which the
 aggregate reports can be extracted.
 
 .TP
+.I HoldQuarantinedMessages (Boolean)
+If set to true, causes mail that fails the DMARC tests to get hold
+by the MTA if the purported sender of the message has a policy of
+"quarantine". Does nothing if the policy is either "none" or "reject".
+The default is "true".
+
+.TP
 .I IgnoreAuthenticatedClients (Boolean)
 If set, causes mail from authenticated clients (i.e., those that used
 SMTP AUTH) to be ignored by the filter.  The default is "false".
diff --git a/opendmarc/opendmarc.conf.sample b/opendmarc/opendmarc.conf.sample
index fbfa49d..a2e1da3 100644
--- a/opendmarc/opendmarc.conf.sample
+++ b/opendmarc/opendmarc.conf.sample
@@ -177,6 +177,15 @@
 #
 # HistoryFile /var/run/opendmarc.dat
 
+##  HoldQuarantinedMessages { true | false }
+##  	default "true"
+##
+##  If set to true, causes mail that fails the DMARC tests to get hold
+##  by the MTA if the purported sender of the message has a policy of
+##  "quarantine". Does nothing if the policy is either "none" or "reject".
+#
+# HoldQuarantinedMessages true
+
 ##  IgnoreAuthenticatedClients { true | false }
 ##  	default "false"
 ##