Summary
Safely implementing a DMARC `p=reject` policy, especially when using ESPs like Mailchimp and GetResponse, involves careful planning and a phased approach. A common recommendation is to begin with `p=none` to monitor email traffic, identify legitimate sources, and address any authentication issues. Subsequently, transition to `p=quarantine` before fully implementing `p=reject`. Due to ESPs often using their own Mail From domains, SPF alignment can be tricky, making DKIM alignment critical. Regular monitoring of DMARC reports is essential for identifying authentication failures. It is also important to look broader than Google PMT. Implementation should only occur after DKIM and SPF have passed on all legitimate emails. Consideration should be given to the point external factors can break DKIM signatures. And collaboration with ESPs to ensure SPF and DKIM alignment is vital. Also incremental adoption is a great way to test.
Key findings
- DKIM Alignment Importance: If DKIM is aligned and passing consistently, it's generally safe to consider moving to `p=reject`, even if SPF alignment is challenging.
- ESP SPF Challenges: Achieving SPF alignment can be difficult with ESPs like Mailchimp and GetResponse due to their use of their own sending domains.
- Phased Implementation: A phased approach, starting with `p=none`, then `p=quarantine`, and finally `p=reject`, is crucial for a safe DMARC implementation.
- DMARC Reporting is Essential: Regular DMARC reporting is vital for identifying authentication failures and misconfigurations, and broader than just Google PMT, needs insights from multiple providers.
Key considerations
- Monitor Reports: Continuously monitor DMARC reports to identify and address authentication failures before implementing `p=reject`.
- Proper Configuration: Carefully configure SPF and DKIM records, ensuring all legitimate sending sources are included.
- Collaboration with ESPs: Work closely with ESPs to ensure proper SPF and DKIM alignment.
- Gradual Implementation: Consider a gradual rollout of the `p=reject` policy, starting with a small percentage of emails.
- Incremental Adoption: Adopt an incremental approach to implementation through constant testing and monitoring
What email marketers say
9 marketer opinions
Safely implementing a DMARC `p=reject` policy, especially with ESPs like Mailchimp and GetResponse, requires careful planning and monitoring. SPF alignment can be challenging with ESPs because they often use their own sending domains. A phased approach is recommended, starting with `p=none` to monitor traffic and identify legitimate sources, progressing to `p=quarantine`, and finally to `p=reject`. DMARC reporting tools are crucial for identifying authentication failures and misconfigurations. Working closely with ESPs to configure SPF and DKIM correctly is essential. Gradually increasing the `p=reject` percentage while monitoring reports provides a controlled rollout. Implementation should only occur after DKIM and SPF are passing for all legitimate emails.
Key opinions
- SPF Alignment Challenges: SPF alignment can be difficult with ESPs like Mailchimp because they use their own sending domains.
- Phased Implementation: A phased DMARC implementation is crucial for safety, progressing from `p=none` to `p=quarantine` to `p=reject`.
- DMARC Reporting Importance: DMARC reporting tools provide essential insights into authentication failures and misconfigurations.
- Collaboration with ESPs: Working closely with ESPs is necessary to ensure correct SPF and DKIM configurations.
Key considerations
- Monitor DMARC Reports: Regularly monitor DMARC reports to identify and address authentication failures before enforcing the `p=reject` policy.
- Proper SPF Configuration: Ensure your SPF records include all sending sources, including ESPs, and double-check the syntax for errors.
- Gradual Rollout: Consider a gradual rollout of the `p=reject` policy, starting with a small percentage of emails and increasing it over time.
- DKIM and SPF Passing: Only implement `p=reject` after confirming that DKIM and SPF are passing for all legitimate emails.
- Analyze mail flow: Analyse mail flow to fully understand all email streams, internal, and external.
Marketer view
Email marketer from Email Geeks shares they start with `p=quarantine` for 2-3 weeks before moving to `p=reject`.
26 Oct 2022 - Email Geeks
Marketer view
Email marketer from Email Geeks says if the mail is from Mailchimp, SPF will never align because Mailchimp uses their domain in the return path.
18 Aug 2021 - Email Geeks
What the experts say
8 expert opinions
Implementing DMARC `p=reject` safely, particularly when using ESPs like Mailchimp and GetResponse, requires a strategic and phased approach. Although DKIM alignment is often sufficient, SPF alignment issues with ESPs, due to their use of separate sending domains, necessitate careful attention. Starting with `p=none` to gather data and understand email streams is crucial, followed by a move to `p=quarantine` before fully implementing `p=reject`. DMARC reports are vital for monitoring and identifying authentication failures. As well as Google PMT, broader views of recipient providers is needed. External factors can unexpectedly break DKIM signatures in transit. A gradual implementation using `pct=` can mitigate risks. Thorough understanding of both internal and third-party email streams is necessary to prevent the rejection of legitimate emails.
Key opinions
- DKIM Alignment Importance: While SPF alignment can be challenging with ESPs, consistent DKIM alignment is a good starting point for implementing `p=reject`.
- ESP SPF Challenges: ESPs often use their own Mail From domains, making SPF alignment complex and sometimes impossible (e.g., Mailchimp).
- Phased Approach: A phased implementation is essential, starting with `p=none` for data collection, then `p=quarantine`, before moving to `p=reject`.
- DMARC Reporting is Crucial: Regular DMARC reports are vital for identifying authentication failures and misconfigurations, as well as broader views of recipient providers, not just Google.
Key considerations
- Monitor Authentication: Closely monitor DMARC reports to identify and address authentication issues before implementing `p=reject`.
- Understand Email Streams: Thoroughly understand both internal and third-party email streams to ensure legitimate emails are not impacted by the reject policy.
- Assess External Factors: Be aware that external factors beyond your control can potentially break DKIM signatures in transit.
- Gradual Implementation: Consider using `pct=` to implement the `p=reject` policy gradually, monitoring reports closely.
- Monitor DMARC compliance: Focus on the DMARC compliance stat, and identify the misconfigurations, before moving forward.
Expert view
Expert from Word to the Wise, Laura Atkins, emphasizes starting with a 'p=none' policy to gather data. Then moving to 'p=quarantine' and eventually 'p=reject' once you are confident in your DMARC configuration.
13 Apr 2025 - Word to the Wise
Expert view
Expert from Email Geeks suspects the SPF alignment issue arises because the mail is sent through an ESP, which uses its own Mail From domain. For Mailchimp, SPF alignment isn't possible. For GetResponse, it might be possible, but requires contacting support.
23 Mar 2024 - Email Geeks
What the documentation says
4 technical articles
Implementing DMARC `p=reject` safely requires careful planning and a phased approach. Documentation consistently emphasizes the importance of starting with a `p=none` policy to monitor email traffic, identify legitimate sending sources, and address authentication issues. Moving to `p=quarantine` before `p=reject` provides an additional layer of safety. Thorough testing, monitoring, and working closely with ESPs to ensure proper SPF and DKIM configuration are crucial to avoid unintended consequences, such as blocking legitimate emails. An incremental adoption through testing and monitoring is highly advised.
Key findings
- Phased Implementation: A phased approach (p=none -> p=quarantine -> p=reject) is essential for a safe DMARC implementation.
- Monitoring and Testing: Thorough monitoring and testing are necessary before implementing `p=reject` to prevent blocking legitimate emails.
- Collaboration with ESPs: Working closely with ESPs is critical to ensure proper SPF and DKIM configuration.
Key considerations
- Start with p=none: Begin with a `p=none` policy to monitor email traffic and identify legitimate sources.
- Address Authentication Issues: Identify and correct any authentication issues before enforcing the `p=reject` policy.
- Monitor Email Traffic: Continuously monitor email traffic after implementing DMARC to identify and address any unexpected issues.
- Incremental Adoption: Employ incremental adoption through testing and monitoring for safe DMARC implementation.
Technical article
Documentation from Google Workspace Admin Help explains the `p=reject` policy instructs recipient servers to reject emails that fail DMARC authentication. They emphasize the importance of thorough testing and monitoring before implementing this policy to avoid unintended consequences, such as blocking legitimate emails.
24 Dec 2022 - Google Workspace Admin Help
Technical article
Documentation from Microsoft details that DMARC `p=reject` is the strictest policy, advising it only be implemented after careful monitoring and testing. They also recommend working closely with ESPs to ensure proper SPF and DKIM configuration to avoid legitimate emails being blocked.
1 Apr 2025 - Microsoft Documentation
Can I set DMARC to reject if my domain doesn't send email?
Can I use DMARC with shared IP addresses?
Does DMARC guarantee emails will not be flagged as spam?
How can I implement a DMARC reject policy for non-existent domains to prevent spam?
How do I properly set up DMARC records and reporting for email authentication?
How should DMARC, SPF, and DKIM records be configured for domains that do not send email?
