Summary
Changing a DMARC policy to 'quarantine' instructs recipient mail servers to place emails failing DMARC authentication checks (SPF and DKIM) into the spam folder. This commonly occurs due to SPF/DKIM misconfigurations, alignment issues between the 'From' address and authentication domains, uninventoried or unauthenticated email streams, or simply a misunderstanding of DMARC's implications. Experts and documentation recommend auditing sending sources, ensuring proper SPF/DKIM configuration and alignment, analyzing DMARC reports, using validation tools, and adopting a phased implementation approach (starting with 'p=none') to avoid unintended deliverability problems and protect against spoofing and phishing attacks.
Key findings
- Quarantine = Spam: DMARC 'quarantine' policy sends failing emails to spam folders.
- SPF/DKIM is Key: Misconfigured SPF and DKIM records are the primary cause of DMARC failures and quarantine issues.
- Alignment Matters: Proper alignment between the 'From' address and SPF/DKIM domains is crucial for DMARC compliance.
- Know Your Streams: A thorough inventory of all email sending sources is essential for proper DMARC implementation.
- DMARC Reporting: DMARC reports provide valuable insights into authentication failures and unauthorized sending sources.
Key considerations
- Audit & Correct: Regularly audit and correct SPF and DKIM records, ensuring all legitimate sending sources are properly authenticated.
- Ensure Alignment: Verify that SPF and DKIM domains align with the domain in the 'From' address.
- Monitor Reports: Actively monitor DMARC reports to identify and address authentication failures promptly.
- Gradual Rollout: Consider a phased implementation of DMARC, starting with 'p=none' to monitor performance before moving to 'p=quarantine' or 'p=reject'.
- Validation Tools: Utilize SPF and DKIM validation tools to check for syntax errors and ensure proper configuration.
What email marketers say
10 marketer opinions
Changing your DMARC policy to 'quarantine' instructs receiving mail servers to place emails that fail DMARC authentication checks (SPF and DKIM) into the recipient's spam folder. This typically happens due to misconfigured SPF or DKIM records, domain mismatches, or unauthenticated email streams. To resolve this, it's crucial to audit and correct SPF and DKIM records, ensure proper alignment between the 'From' address and authentication domains, identify all email sources, use DMARC reporting tools to diagnose issues, and consider a gradual implementation approach to avoid deliverability problems.
Key opinions
- DMARC Quarantine Effect: Setting DMARC to 'quarantine' sends emails failing authentication to the spam folder.
- SPF/DKIM Misconfiguration: Incorrect SPF or DKIM records are a primary cause of DMARC failures.
- Domain Mismatch: Mismatches between the 'From' address and the SPF/DKIM domains lead to quarantine.
- Email Stream Identification: Failure to identify all email sending sources causes deliverability issues.
- Gradual Implementation: A phased approach to DMARC implementation is recommended.
Key considerations
- Audit SPF/DKIM: Regularly audit SPF and DKIM records for accuracy and proper configuration.
- Ensure Alignment: Verify alignment between the 'From' address and SPF/DKIM domains.
- Monitor DMARC Reports: Use DMARC reporting tools to identify authentication failures and unauthorized sending sources.
- Test Deliverability: Thoroughly test email deliverability after implementing changes to DMARC.
- Phased Rollout: Consider a gradual rollout, starting with 'p=none' before moving to 'p=quarantine' or 'p=reject'.
Marketer view
Email marketer from Mailjet shares that setting DMARC to quarantine instructs receiving mail servers to place non-compliant emails in the spam folder. This happens because the policy signals that the sender is serious about email security. To fix this, one must ensure that SPF and DKIM records are properly configured and aligned with the sending domain to pass DMARC authentication.
9 Jun 2024 - Mailjet
Marketer view
Email marketer from ReturnPath shares that DMARC helps protect your domain from spoofing and phishing attacks. However, a quarantine policy can negatively impact deliverability if not implemented correctly. They recommend a phased approach, starting with monitoring, then quarantining, and finally rejecting, after ensuring all legitimate email sources are properly authenticated.
18 Apr 2024 - ReturnPath
What the experts say
5 expert opinions
Changing DMARC policy to 'quarantine' can send legitimate emails to spam if not implemented correctly. This often stems from alignment issues, where SPF and DKIM records aren't in the same domain space as the visible 'From' address. A lack of understanding of all sending sources and misconfiguration of SPF/DKIM records are major contributors. DMARC reports are crucial for identifying failing mail streams. Experts recommend auditing all sending sources, ensuring SPF and DKIM alignment, and adopting a gradual approach to implementing DMARC, understanding the implications of each policy before publishing a DMARC record.
Key opinions
- Alignment Issues: Emails are likely failing DMARC due to SPF and DKIM not being aligned with the 'From' address domain.
- SPF/DKIM Configuration: SPF and DKIM domains MUST be the same as the visible 'From' domain. Incorrect configurations cause failures.
- DMARC Reports Importance: DMARC reports show failing mail streams that will go to spam with a 'quarantine' policy.
- Lack of Inventory: Failure to inventory email streams and identify sending services causes deliverability problems.
- Understanding Implications: Publishing DMARC without understanding its implications leads to problems.
Key considerations
- Address Alignment: Ensure SPF and DKIM domains align with the visible 'From' address.
- Review SPF/DKIM Setup: Carefully configure SPF and DKIM records for all sending sources.
- Analyze DMARC Reports: Regularly analyze DMARC reports to identify and address authentication failures.
- Audit Sending Sources: Audit all sending sources to ensure proper authentication.
- Gradual Implementation: Implement DMARC gradually to avoid deliverability issues.
Expert view
Expert from Word to the Wise explains that moving to a DMARC quarantine policy will cause email deliverability issues when not implemented correctly. If a company has not inventoried their email streams and doesn't know what services are sending email on their behalf, they will have deliverability issues. The fix is to audit all sending sources, ensure SPF and DKIM alignment, and then gradually move to a quarantine policy.
3 Jan 2022 - Word to the Wise
Expert view
Expert from Email Geeks explains the emails are likely failing DMARC because they are not aligned. It is not enough for DKIM and SPF to pass; they must be in the same domain space as the visible From: address.
11 Feb 2022 - Email Geeks
What the documentation says
4 technical articles
According to official documentation, implementing a 'quarantine' DMARC policy directs emails failing DMARC checks to the recipient's spam folder as a security measure. These failures frequently arise from SPF or DKIM misconfigurations, syntax errors in SPF records, or exceeding SPF lookup limits. Addressing these issues involves closely monitoring DMARC reports, analyzing aggregate reports to identify authentication failures, correcting SPF/DKIM configurations, checking DNS record accuracy, ensuring authorized sending domains, and verifying alignment between SPF/DKIM domains and the 'From' domain. Using SPF validation tools is also advised.
Key findings
- Quarantine Policy Impact: DMARC 'quarantine' directs failing emails to spam.
- SPF/DKIM Errors: SPF and DKIM misconfigurations are primary failure causes.
- SPF Record Issues: Incorrect SPF syntax and lookup limits lead to failures.
- DMARC Report Importance: DMARC reports are crucial for identifying failures.
- Alignment Requirement: SPF/DKIM domains must align with the 'From' domain.
Key considerations
- Monitor DMARC Reports: Actively monitor DMARC reports for failure analysis.
- Correct SPF/DKIM: Correct SPF and DKIM configurations based on report analysis.
- Check DNS Records: Verify DNS record accuracy for SPF, DKIM, and DMARC.
- Ensure Authorization: Ensure sending domains are authorized in SPF records.
- Verify Alignment: Verify proper alignment between SPF/DKIM and 'From' domains.
- Use Validation Tools: Employ SPF validation tools to check for errors.
Technical article
Documentation from RFC Editor, defining DMARC, states that the 'quarantine' policy advises mail receivers to treat messages that fail DMARC checks as suspicious. This typically results in the messages being placed in the recipient's junk mail folder, though the exact implementation is up to the receiver. To resolve issues, administrators should analyze DMARC aggregate reports to identify authentication failures and correct underlying SPF/DKIM configurations.
11 Feb 2024 - RFC Editor
Technical article
Documentation from AuthSMTP details that a DMARC failure leading to quarantine often stems from SPF or DKIM misconfigurations. They recommend checking DNS records for accuracy, verifying that the sending domain is authorized to send emails on behalf of the 'From' address, and ensuring alignment between SPF/DKIM domains and the 'From' domain.
1 Jan 2023 - AuthSMTP
Does DMARC guarantee emails will not be flagged as spam?
How can I implement a DMARC reject policy for non-existent domains to prevent spam?
How can I implement a strict DMARC policy without blocking Google Workspace emails?
How do DMARC policies and RUA/RUF settings inherit or override each other between a domain and its subdomains?
How do DMARC quarantine and reject policies affect sender reputation and email delivery?
How does DMARC impact email deliverability, and what are the pros and cons of using it?
