What are the best practices for implementing a DMARC policy, and should you use reject or quarantine?

Key findings

• Gradual progression: It is best practice to transition DMARC policies gradually, moving from p=none to p=quarantine and then potentially to p=reject to avoid disrupting legitimate email traffic.
• Quarantine as an enforcing policy: The p=quarantine policy is considered an active enforcement policy, as it instructs receiving servers to treat non-aligned messages as suspicious, typically by moving them to spam folders.
• ISP variations: Some internet service providers (ISPs) may not differentiate significantly between p=quarantine and p=reject, effectively treating quarantined mail similar to rejected mail.
• Pct tag usage: The pct (percentage) tag can be used to apply a DMARC policy to only a subset of mail, allowing for testing and verification before full enforcement. However, some argue it can obscure the full impact.
• Monitoring is key: Continuous monitoring of DMARC reports is essential to ensure that legitimate email is passing authentication checks before advancing to stricter policies like p=reject.

Key considerations

• Risk of legitimate mail loss: Jumping directly to p=reject without proper preparation can result in legitimate emails being blocked or sent to spam, leading to significant deliverability issues. To learn more, read our article on key considerations and challenges for DMARC implementation.
• Ensuring alignment: Before implementing an enforcing policy, verify that all legitimate email sending sources (including third-party services) are correctly configured with SPF and DKIM and achieve DMARC alignment.
• Patience in deployment: A deliberate and measured approach, allowing time for data collection and analysis at each stage (from p=none to p=quarantine), is crucial for successful DMARC implementation without unintended consequences. You can read more about how to safely transition your DMARC policy.
• Understanding local policies: Mailbox providers (MBPs) may have their own internal policies that can override your requested DMARC policy. This means a p=reject policy might still result in quarantined emails at certain providers. You can review Mailgun's DMARC guide for more insights.

Key opinions

• Start with quarantine: Many marketers advise beginning with p=quarantine as the first enforcement step, allowing for rapid progression to p=reject if no issues are found. You can read more about when to use each DMARC policy.
• Cautious progression: Marketers frequently recommend staying at p=none (monitoring only) until absolutely certain that implementing an enforcing policy will not break legitimate email flows.
• Percentage options: While some suggest using the pct tag to gradually apply the policy, others caution that it can hide the true impact if not carefully monitored and increased.
• Quarantine is not weak: Marketers agree that p=quarantine is an active enforcement policy, not a weaker form, and many ISPs do not always distinguish between quarantine and reject.

Key considerations

• Monitoring DMARC reports: It is crucial to continuously monitor DMARC reports to identify all legitimate email sending sources and ensure they pass authentication before moving to a stricter policy. Neglecting this step can lead to significant deliverability issues.
• Avoiding hasty deployment: The consensus is that there's no need to rush DMARC implementation. A slower, more deliberate rollout minimizes risks and helps confirm that legitimate emails are not accidentally blocked. For a step-by-step approach, consider our guide on simple DMARC examples for starting with p=none.
• Identifying all senders: Ensure every system that sends email on behalf of your domain is properly configured for SPF and DKIM. This includes marketing platforms, transactional email services, and internal systems. You can read more about this on Email on Acid's blog.

Key opinions

• Phased deployment is crucial: Experts strongly advise a phased deployment, beginning with p=none and carefully moving through p=quarantine before considering p=reject. To delve deeper, refer to our article on best practices for setting DMARC policy, particularly p=reject.
• Reject is the goal, not the start: While p=reject is the most secure DMARC policy for combating spoofing, it should only be implemented after thorough testing and validation of all legitimate sending sources.
• Monitoring DMARC reports is non-negotiable: Effective DMARC implementation hinges on diligent monitoring of DMARC aggregate and forensic reports to identify unaligned legitimate mail and potential spoofing attempts.
• Importance of SPF and DKIM: DMARC relies on SPF and DKIM for authentication. Experts stress the importance of ensuring these foundational protocols are correctly implemented and aligned before progressing to DMARC enforcement.

Key considerations

• Thorough source identification: Before any enforcement, a complete inventory of all legitimate sending sources for your domain is essential. Missing even one can lead to legitimate emails being quarantined or rejected once an enforcing policy is active. You can learn more about how DMARC works with SPF and DKIM.
• Understanding impact of pct: While the pct tag offers granular control, experts caution against its prolonged use at low percentages without consistent monitoring, as it might delay the discovery of configuration issues impacting a broader audience. Consult DuoCircle's guide for more on advancing DMARC policies.
• No rush to reject: Experts universally advise against rushing to p=reject, as the primary goal is secure and reliable email delivery, not just strict policy enforcement at the expense of legitimate mail.

Key findings

• Systematic progression: Documentation outlines a standard DMARC adoption path: begin with p=none for monitoring, then transition to p=quarantine, and finally, once confident, deploy p=reject. To understand the comprehensive approach, read our guide on DMARC, SPF, and DKIM.
• Reject as the end goal: While p=quarantine is a strong initial enforcement, p=reject is presented as the optimal policy for full protection against email spoofing and brand abuse.
• Prerequisites: DMARC functionality relies on proper SPF and DKIM setup. Documentation consistently states that these underlying authentication methods must be configured and aligned for DMARC to be effective.
• Improved deliverability and trust: Implementing stricter DMARC policies (like p=quarantine or p=reject) is cited as a direct path to improved email deliverability and increased trust in your domain. For further reading, see the benefits of implementing DMARC on our site.

Key considerations

• Validate mail flows: Before any move to quarantine or reject, documentation emphasizes the necessity of confirming that all your legitimate messages are delivering and fully passing DMARC checks. For example, Resend's DMARC documentation provides insight.
• Comprehensive understanding of DMARC records: Familiarity with DMARC record configuration and the meaning of various tags (e.g., p, pct, rua) is critical for successful implementation and troubleshooting.
• Risk of partial policy impact: Documentation often notes that using the pct tag can lead to a policy only affecting a percentage of mail, potentially hiding issues that would arise at 100% enforcement.