How to change DMARC records from none to quarantine for BIMI?

Key findings

• BIMI requirement: For BIMI to display, your DMARC policy must be set to either p=quarantine or p=reject, as p=none is not supported. This ensures that only authenticated emails from your domain will show your brand logo.
• Gradual enforcement: It is crucial not to rush the transition from p=none to an enforcing policy. Incremental changes, often using the pct tag, are recommended to minimize risks of legitimate email being misclassified.
• Authentication alignment: Before enforcing a DMARC policy, all legitimate email sending sources must have correctly aligned SPF and DKIM records. This ensures that emails from your domain pass DMARC checks, preventing them from being quarantined or rejected. Learn more about DMARC, SPF, and DKIM.
• Monitoring reports: Continuous monitoring of DMARC aggregate reports (RUA) and forensic reports (RUF) is essential to identify issues and ensure that your transition does not disrupt email delivery. These reports provide insights into your email ecosystem.
• Impact of quarantine: A p=quarantine policy instructs receiving mail servers to treat emails that fail DMARC checks with suspicion, often placing them in the spam or junk folder. This is a softer enforcement than p=reject, which blocks them entirely.

Key considerations

• Comprehensive analysis: Before changing your policy, analyze all email sending sources from your domain. Identify both authorized and unauthorized senders using DMARC aggregate reports to ensure compliance with your policy.
• Vendor compliance: Ensure that all third-party email vendors (like ESPs) support DMARC alignment for SPF and DKIM. If a vendor cannot align, consider switching to one that does, or excluding them from DMARC enforcement.
• Percentage rollout: Consider using the pct tag to gradually increase the percentage of emails subject to the quarantine policy. This allows for controlled testing and quick rollback if issues arise, as detailed by Iterable’s DMARC guide.
• Internal process updates: Update internal standard operating procedures (SOPs) to reflect the new DMARC policy and the importance of maintaining proper email authentication. You can learn more about switching DMARC configuration here.
• Ongoing validation: Even after the transition, continue to monitor your DMARC reports and periodically review your email sending infrastructure to ensure ongoing compliance and optimal deliverability.

Key opinions

• Similar process: Many marketers agree that the process for implementing BIMI or just deploying DMARC with an enforcing policy is largely the same, focusing on authentication and monitoring.
• Phased approach: It is generally advised to avoid rushing the transition from p=none to an enforcing policy, using gradual steps to prevent issues with legitimate mail.
• DMARC reports: Utilizing services that visualize DMARC reports is considered critical for easily identifying and resolving issues during the policy transition.
• No issues with reject: Some marketers have successfully moved directly to p=reject for BIMI without reported problems, suggesting that a strong policy can be adopted if authentication is solid.

Key considerations

• Review email sources: Marketers emphasize the need to review DMARC aggregate reports thoroughly to identify all email sources sending from your domain before making policy changes.
• Align authentication: Ensure that all identified email sources have properly aligned SPF and DKIM records to pass DMARC checks, or consider swapping out non-compliant vendors.
• Monitor closely: After changing the policy, continuous and close monitoring of DMARC reports is crucial to catch any unforeseen issues quickly. This helps prevent emails from being blocked or sent to spam.
• Internal SOPs: Updating internal standard operating procedures to reflect the use of DMARC helps maintain compliance and best practices over time.
• BIMI validation: Marketers find BIMI validation tools helpful to confirm their setup is correct and ready for BIMI display, such as the BIMI Group's validation page.

Key opinions

• Data-driven approach: Experts universally recommend relying on DMARC aggregate reports to understand email traffic patterns and authentication results before modifying policies.
• Prerequisite authentication: Ensuring proper SPF and DKIM alignment for all legitimate sending sources is a non-negotiable prerequisite for DMARC enforcement and BIMI. Issues here will cause deliverability problems.
• Gradual deployment: Phased rollouts using the pct tag are crucial to mitigate risks when moving from p=none to quarantine.
• Monitoring is key: Continuous vigilance through DMARC reporting tools allows for rapid detection and correction of issues, safeguarding deliverability. For more on this, read about understanding and troubleshooting DMARC reports.

Key considerations

• Thorough audit: Perform a comprehensive audit of all email sending applications and services for your domain. Ensure each can correctly authenticate with SPF and DKIM.
• Understand impact: Recognize that a quarantine policy can send failing emails to spam, which might impact legitimate campaigns if not properly set up. See why quarantine might send emails to spam.
• Leverage reporting tools: Invest in or utilize DMARC reporting solutions to gain actionable insights from aggregate and forensic reports, which are vital for troubleshooting and optimization.
• Avoid shortcuts: There are no shortcuts to a robust DMARC implementation. Each step, from initial data gathering to policy enforcement, requires diligent execution to achieve desired security and deliverability outcomes.

Key findings

• Enforcing policy required: BIMI explicitly requires a DMARC policy of p=quarantine or p=reject. The p=none policy is not sufficient for BIMI to function.
• Full authentication chain: Successful BIMI implementation hinges on authenticating all organizational emails with SPF, DKIM, and DMARC, ensuring all are aligned for proper validation.
• Quarantine action: A quarantine policy instructs receiving servers to place emails failing DMARC checks into spam or junk folders.
• Gradual adoption: The pct tag can be used to apply quarantine or reject policies to a percentage of mail, allowing for controlled rollout.

Key considerations

• Policy progression: Documentation suggests p=none is for testing, with a subsequent move to quarantine or reject as the ideal long-term policy.
• Report collection: The rua= (Report Email Address) tag is essential for receiving DMARC aggregate reports, which are vital for monitoring policy compliance.
• Verified Mark Certificate: Some mailbox providers may require a Verified Mark Certificate (VMC) in addition to the DMARC policy for BIMI display, adding another layer to the setup process. Learn more about BIMI FAQs for senders.
• Policy enforcement: The pct= tag, when set to 100, indicates that the enforced DMARC policy applies to all mail, signifying full policy activation.