Summary
Implementing a DMARC policy effectively is a multi-stage process. Experts and documentation alike recommend starting with 'p=none' to monitor your mail streams and gather data. Next, transitioning to 'p=quarantine' directs non-aligned messages to spam folders, serving as an intermediate step. Finally, 'p=reject' offers maximum protection against spoofing but necessitates careful monitoring to prevent blocking legitimate emails. Ensure SPF and DKIM are correctly configured prior to DMARC implementation. The decision between 'reject' and 'quarantine' should be based on your risk tolerance and the maturity of your authentication setup. Percentage options allow gradual policy enforcement. Remember some ISPs don't differentiate between quarantine and reject.
Key findings
- Phased Approach: Implementing DMARC in stages (none, quarantine, reject) is widely recommended.
- Importance of SPF and DKIM: SPF and DKIM must be implemented and tested before DMARC.
- Monitoring is Crucial: Regularly monitoring DMARC reports is essential for identifying and addressing deliverability issues.
- Policy Options: DMARC offers three policy options: none, quarantine, and reject, each serving a different purpose.
- Enforcing Policy: Quarantine policy is still an enforcing policy that tells receivers to do something with non-aligned messages
Key considerations
- Risk Tolerance: Consider your risk tolerance when choosing between 'reject' and 'quarantine'.
- Potential for Blocking Legitimate Emails: Implementing 'reject' without proper monitoring can block legitimate emails.
- Gradual Enforcement: Use percentage options for gradual policy enforcement.
- Monitor reports: Remember to regularly monitor your DMARC aggregate and forensic reports.
- ISPs treat differently: Some ISPs don't distinguish between quarantine and reject.
What email marketers say
10 marketer opinions
Implementing a DMARC policy effectively involves a phased approach, starting with monitoring ('p=none') to gather data and identify potential issues. Transitioning to 'p=quarantine' provides a middle ground by directing non-aligned messages to the spam folder, while 'p=reject' offers maximum protection but requires careful monitoring to avoid blocking legitimate emails. The choice between 'reject' and 'quarantine' depends on your risk tolerance and the maturity of your email authentication setup. Percentage options allow for gradual policy enforcement.
Key opinions
- Phased Implementation: A gradual transition from 'p=none' to 'p=quarantine' and finally 'p=reject' is the safest approach.
- Monitoring is Crucial: Monitoring DMARC reports is essential to identify and address any deliverability issues before fully enforcing a reject policy.
- Quarantine as Intermediate Step: The 'quarantine' policy serves as an intermediate step, allowing you to assess the impact of DMARC enforcement before implementing a full 'reject' policy.
- ISPs treat differently: Note that some ISPs don't distinguish between quarantine and reject.
Key considerations
- Risk Tolerance: Your risk tolerance and the maturity of your email authentication infrastructure should influence your choice between 'reject' and 'quarantine'.
- Potential for Blocking Legitimate Emails: Implementing a 'reject' policy without proper monitoring can lead to legitimate emails being blocked.
- Gradual Enforcement: Using percentage options allows for gradual policy enforcement, minimizing potential disruptions.
- SPF and DKIM: Make sure you are sending authenticated mail before you implement DMARC, you have to have SPF and DKIM implemented first and tested and then DMARC.
Marketer view
Email marketer from EasyDMARC explains that immediately implementing a 'p=reject' policy without proper monitoring and analysis can lead to legitimate emails being blocked, potentially harming your business. They suggest starting with 'p=none' to gather data and identify any authentication issues.
8 Sep 2021 - EasyDMARC
Marketer view
Email marketer from Postmark recommends incrementally strengthening your DMARC policy over time. Starting with 'p=none' gives you visibility without impacting deliverability. Then move to 'p=quarantine' to test the waters, before fully enforcing with 'p=reject'.
28 Dec 2022 - Postmark
What the experts say
3 expert opinions
Experts recommend a multi-stage approach to DMARC implementation. This begins by ensuring proper email authentication (SPF and DKIM). Initially, a 'p=none' policy is advised for monitoring and data collection, followed by 'p=quarantine' as an intermediate step, and ultimately 'p=reject' if all checks pass. Monitoring DMARC reports is vital to identify and address any issues. Some experts suggest using 'p=quarantine pct=0' as an initial step, and there are external services available that can interpret DMARC reports to pinpoint sources of unauthorized sending.
Key opinions
- Staged Implementation: Implementing DMARC in stages (none, quarantine, reject) is the best practice.
- Importance of SPF and DKIM: SPF and DKIM must be implemented and tested before DMARC.
- Monitoring is Essential: Regularly monitoring DMARC aggregate and forensic reports is crucial.
- External services exist: Services that read DMARC reports and identify sources of unauthorized sending exist.
Key considerations
- Use p=quarantine pct=0: Consider using 'p=quarantine pct=0' as an initial step.
- Proper Authentication: Ensure your mail is properly authenticated before implementing DMARC.
- Intermediate Quarantine Step: Use p=quarantine as an intermediate step before rejecting all unauthenticated mail.
Expert view
Expert from Word to the Wise shares that the usual best practice is to implement DMARC in stages, initially requesting "none", then graduating to quarantine, finally reject (if all goes well). Note, too, that there are services that can read the DMARC reports for you to determine the sources of unauthorized sending (spoofing)
18 Jan 2022 - Word to the Wise
Expert view
Expert from Spamresource explains that a DMARC implementation needs to be done in stages: - You want to make sure you are sending authenticated mail before you implement it. - You have to have SPF and DKIM implemented first and tested and then DMARC. - Then you want to be watching the DMARC aggregate and forensic reports that are generated by your DMARC policy to see if something is amiss.
1 Nov 2022 - Spamresource
What the documentation says
4 technical articles
Technical documentation consistently recommends a phased DMARC implementation. This involves starting with a 'p=none' policy for monitoring and data collection, followed by a transition to either 'p=quarantine' (directing non-compliant emails to spam) or 'p=reject' (refusing such emails entirely). While 'p=reject' provides strong protection against spoofing and phishing, careful monitoring is crucial to avoid blocking legitimate emails.
Key findings
- Policy Options: DMARC offers three policy options: none, quarantine, and reject.
- Phased Approach: A phased implementation is recommended, starting with 'p=none'.
- Reject for Spoofing Prevention: 'p=reject' helps prevent spoofing and phishing attacks.
Key considerations
- Monitoring Importance: Carefully monitor DMARC reports to avoid blocking legitimate emails, especially with 'p=reject'.
- Quarantine vs. Reject: 'p=quarantine' places failing messages in spam, while 'p=reject' refuses them entirely.
- Data Collection: 'p=none' allows you to gather data on your mail streams before implementing stricter policies.
Technical article
Documentation from Google explains that DMARC policies tell receiving mail servers what to do with messages from your domain that fail DMARC checks. Google recommends starting with a 'p=none' policy to monitor reports before transitioning to 'p=quarantine' or 'p=reject'.
5 Jan 2023 - Google
Technical article
Documentation from DMARC.org details the three policy options: none, quarantine, and reject. It clarifies that 'p=none' is for monitoring, 'p=quarantine' instructs receivers to place failing messages in spam folders, and 'p=reject' instructs receivers to refuse the message.
6 Feb 2023 - DMARC.org
Are DMARC RUA and RUF tags mandatory for compliance and what are their benefits?
Can DMARC reports be sent without RUA or RUF addresses?
Can I set DMARC to reject if my domain doesn't send email?
Can I use DMARC with shared IP addresses?
Can implementing DMARC cause a drop in email reputation and open rates?
Do Yahoo and Gmail require DMARC authentication for senders?
