Why did changing DMARC policy to quarantine send emails to spam, and how to fix it?

Key findings

• DMARC enforcement: A policy of p=quarantine instructs receiving mail servers to place emails failing DMARC authentication into the spam or junk folder.
• Alignment requirement: For DMARC to pass, either the SPF 'Return-Path' domain or the DKIM 'd=' tag domain must align with (be the same as, or a subdomain of) the 'From' header domain. If this alignment is missing, DMARC will fail, even if SPF and DKIM records technically pass.
• Softfail SPF: An SPF record at 'softfail' combined with DMARC's quarantine policy signals to mail servers that the email should be treated with suspicion if alignment also fails.
• Importance of DMARC reports: DMARC aggregate reports provide crucial visibility into which email streams are failing authentication and why, allowing senders to identify and correct issues before enforcing stricter policies.

Key considerations

• Pre-deployment analysis: Before switching to p=quarantine, it's essential to analyze DMARC reports (while on p=none) to ensure all legitimate email sources are correctly authenticating and aligning. This helps avoid unintended deliverability issues. Read more about when to use DMARC policies.
• Correcting SPF and DKIM: Ensure that all third-party sending services (ESPs, transactional email services, CRMs, etc.) are properly configured to send emails that pass both SPF and DKIM authentication and align with your 'From' domain. This often involves setting up custom DKIM keys and ensuring SPF records include all authorized sending IPs or domains.
• Understanding DMARC alignment: It's crucial to understand that SPF and DKIM can pass independently but still fail DMARC if their respective domains do not align with the 'From' domain. This is a common pitfall. A useful resource on this topic is Word to the Wise's DMARC primer.
• Iterative approach: Implementing DMARC (and transitioning to stricter policies) should be an iterative process, starting with p=none to gather data, then moving to p=quarantine gradually. Learn about safely transitioning your DMARC policy.

Key opinions

• Initial confusion: Marketers frequently report that emails suddenly go to spam right after changing to a p=quarantine policy, leading to quick reversions without full diagnosis.
• Lack of DMARC report monitoring: Many marketers do not actively monitor DMARC aggregate reports, which are essential for identifying authentication failures and correcting issues before enforcing policies.
• Misunderstanding alignment: There's a common misconception that if SPF and DKIM records technically pass, DMARC will automatically pass. The critical aspect of domain alignment is often overlooked.
• Impact on deliverability: Unprepared implementation of p=quarantine can lead to significant deliverability issues, affecting crucial email streams like billing or customer service communications.

Key considerations

• Educate clients: It's vital to educate clients and stakeholders about DMARC's full implications, including the alignment requirements, before any policy changes are made.
• Verify SPF and DKIM setup: Prioritize verifying that all sending sources have correctly configured SPF and DKIM records, and critically, that these are set up for domain alignment. This is crucial to diagnose email deliverability issues.
• Analyze DMARC reports thoroughly: Use DMARC reports to identify every mail stream that is failing authentication or alignment before transitioning to stricter policies. This helps reveal unknown sending sources or misconfigurations. You can learn more about this on Kinsta's DMARC fail guide.
• Phased DMARC rollout: Advocate for a gradual DMARC implementation, starting with p=none to gather data, then moving cautiously to p=quarantine, and finally to p=reject once all legitimate traffic is aligned. This minimizes the risk of emails being blocked or sent to spam.

Key opinions

• DMARC alignment is critical: Experts stress that DMARC failures, even when SPF and DKIM pass, are almost always due to misalignment between the authenticated domains and the visible 'From' header domain. This is the core reason for emails going to spam under a 'quarantine' policy.
• Monitor DMARC reports: Daily monitoring of DMARC aggregate reports is non-negotiable for identifying failing mail streams and diagnosing alignment issues. This data is invaluable for safe DMARC deployment.
• DMARC complexity: DMARC is acknowledged as a complex protocol that can easily break email deliverability if not implemented correctly and carefully. It requires a deep understanding of email authentication beyond basic SPF/DKIM setup.
• Comprehensive mail stream audit: Before enforcing p=quarantine, organizations must identify and configure every third-party service sending email on their behalf to ensure DMARC compliance.

Key considerations

• Identify all sending services: Use DMARC aggregate reports to discover all legitimate email sources sending on behalf of your domain. Many organizations are surprised by the number of services they unknowingly use that send emails.
• Configure SPF/DKIM for alignment: Work with each third-party sender to ensure their SPF and DKIM configurations enable DMARC alignment. This typically involves using custom domains for DKIM signing or ensuring the SPF 'Return-Path' matches your 'From' domain. This is essential for fixing DMARC authentication failures.
• Avoid premature enforcement: Do not transition to p=quarantine or p=reject until DMARC reports show nearly 100% compliance for all legitimate traffic. This iterative process is crucial for preventing critical email deliverability issues. Read more on Email on Acid's guide to DMARC policy.
• Seek expert help: For complex environments or if technical expertise is lacking, outsourcing DMARC implementation to specialized firms can prevent significant deliverability disruptions. DMARC is more than just a DNS record; it's a domain-wide policy.

Key findings

• DMARC policy 'quarantine': The 'quarantine' policy (p=quarantine) directs recipient mail servers to accept an email that fails DMARC authentication but place it into the recipient's junk or spam folder, or flag it suspiciously.
• Domain alignment explained: For SPF alignment, the 'Return-Path' (Mail From) domain must match the 'From' header domain. For DKIM alignment, the 'd=' (signing) domain must match the 'From' header domain. A DMARC record requires at least one of these to align and pass authentication.
• Default alignment modes: The default alignment mode for both SPF and DKIM under DMARC is 'relaxed', meaning only the organizational domain (e.g., example.com for sub.example.com) needs to match. 'Strict' alignment requires an exact match, including subdomains.
• DMARC reports (RUA/RUF): DMARC provides aggregate (RUA) and forensic (RUF) reports to domain owners. These reports detail authentication and alignment failures, allowing for comprehensive monitoring and diagnosis of issues across all mail streams. You can read more about the list of DMARC tags and their meanings.

Key considerations

• Policy application: DMARC policies apply to the organizational domain specified in the DMARC record and any subdomains, unless explicitly overridden. This broad application means that all email-sending services for the domain must comply.
• Pre-authentication is key: Before publishing a DMARC record, or moving to stricter policies, ensure that SPF and DKIM are fully implemented and passing for all legitimate email sources. This foundational work is critical.
• Understanding aggregate reports: Leverage DMARC aggregate reports to gain visibility into which emails are passing or failing DMARC, and which sending sources are responsible. These reports are XML files that require a parser or DMARC monitoring service to be easily readable. Learn more about understanding and troubleshooting DMARC reports.
• Iterative deployment: The RFC recommends starting with p=none to gather data, then gradually moving to p=quarantine, and finally p=reject after all legitimate sources are confirmed to align and authenticate properly. More information can be found in the DMARC RFC 7489.