When you're setting up DMARC (Domain-based Message Authentication, Reporting, and Conformance), you're essentially giving instructions to email providers like Gmail and Outlook on how to handle emails that claim to be from your domain. A core part of this setup is the DMARC policy, which dictates the action to be taken. If you want to allow emails to be delivered but flag the ones that fail authentication checks, the policy you're looking for is quarantine.
DMARC is a critical email authentication protocol that works alongside SPF (Sender Policy Framework) and DKIM (DomainKeys Identified Mail) to prevent email spoofing and phishing. It allows a domain owner to specify how unauthenticated mail should be handled, providing a layer of protection for your brand and your recipients.
Understanding the DMARC quarantine policy
The DMARC policy p=quarantine instructs receiving mail servers to treat emails that fail DMARC authentication with suspicion. Instead of outright rejecting them, these servers are encouraged to place the emails in a separate location, which is usually the recipient's spam or junk folder. This allows the email to still be delivered but isolates it from the primary inbox, effectively marking it as potentially malicious or unauthorized.
This policy strikes a balance. It protects recipients from potential phishing attacks without the immediate risk of blocking legitimate emails that may be failing authentication for technical reasons you haven't identified yet. It's a crucial intermediate step towards full DMARC enforcement.
How quarantine compares to other policies
To fully grasp the quarantine policy, it helps to compare it with the other two available DMARC policies: none and reject.
- p=none (Monitoring): This is often called a 'monitoring policy'. It tells receiving servers to take no specific action against emails that fail DMARC. The email is delivered to the inbox as usual. The primary purpose of this policy is to collect DMARC reports to see who is sending email on behalf of your domain. This allows you to monitor for email spoofing and identify legitimate email streams that need proper authentication.
- p=quarantine (Marking): As discussed, this policy asks for failing emails to be sent to the spam or junk folder. It's the ideal middle ground for senders who have analyzed their p=none reports and are ready to start protecting their domain without implementing the strictest policy.
- p=reject (Blocking): This is the most secure policy. It instructs receiving servers to completely reject any email that fails DMARC checks. The email will not be delivered to the inbox or the spam folder; it will bounce. This provides the strongest protection against spoofing but requires confidence that all your legitimate sending sources are correctly authenticated.
Why choose the quarantine policy?
Choosing p=quarantine is a strategic move in your DMARC implementation journey. After a period of monitoring with p=none, moving to p=quarantine allows you to begin enforcing your policy and actively protect against phishing attacks. This phased approach minimizes the risk of disrupting important email communications, such as transactional emails or marketing campaigns.
By quarantining suspicious emails, you can continue to analyze DMARC reports to see what is being flagged. If you notice legitimate mail being sent to spam, you can fix the underlying SPF or DKIM authentication issues before moving to a final p=reject policy. In summary, if your goal is to have suspicious emails marked and sent to spam while ensuring legitimate mail still gets through, p=quarantine is the correct DMARC policy to implement.
