Suped

Why did changing DMARC policy to quarantine send emails to spam, and how to fix it?

Summary

Changing a DMARC policy from 'none' to 'quarantine' (p=quarantine) often leads to legitimate emails being sent to the spam folder, particularly when underlying email authentication mechanisms are not perfectly aligned. This issue primarily stems from DMARC's enforcement actions, which instruct recipient mail servers to treat emails failing DMARC validation with increased scrutiny. When SPF (Sender Policy Framework) or DKIM (DomainKeys Identified Mail) records are not correctly set up, or if their domains do not align with the 'From' header domain, emails will fail DMARC authentication. A 'softfail' SPF record, combined with misalignment, signals to receiving mail servers that while an email might not be outright fraudulent, it also isn't fully authenticated, prompting a 'quarantine' action (moving to spam or junk).

Suped DMARC monitor
Free forever, no credit card required
Get started for free
Trusted by teams securing millions of inboxes
Company logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logo

What email marketers say

Email marketers often face immediate and visible deliverability issues when transitioning their DMARC policy to 'quarantine' without fully understanding the intricacies of DMARC alignment. Many assume that merely passing SPF and DKIM is sufficient, overlooking the critical alignment component that DMARC introduces. The abrupt shift can lead to legitimate emails, such as transactional messages, landing in spam folders, causing significant disruption and a quick reversion to a 'none' policy.

Marketer view

Email marketer from Email Geeks indicates that after they changed their DMARC policy to quarantine, emails from that domain immediately started going to the spam folder for their company accounts. This observation suggests a direct correlation between the policy change and the deliverability issue. They swiftly reverted the DMARC record back to 'none,' which then resolved the issue, confirming the policy change as the likely cause.

08 Apr 2020 - Email Geeks

Marketer view

An email marketer from a deliverability forum shared their experience, stating that without proper DMARC alignment, moving to a quarantine policy essentially self-sabotages deliverability. They highlighted the importance of having SPF and DKIM correctly configured and aligned with the visible 'From' domain. They emphasized that even if SPF and DKIM pass individually, a DMARC failure due to misalignment will still trigger the quarantine policy, sending emails to spam.

15 Jan 2023 - Deliverability Forum

What the experts say

Email deliverability experts consistently highlight that DMARC is a powerful protocol, but its implementation requires meticulous attention to detail, especially regarding SPF and DKIM alignment. They emphasize that simply passing SPF and DKIM authentication is insufficient for DMARC; true DMARC compliance hinges on the alignment of the authenticated domains with the email's 'From' header. Rushing to a 'quarantine' policy without verifying every legitimate email stream's alignment can lead to significant, self-inflicted deliverability issues, effectively 'shooting yourself in the deliverability'.

Expert view

Expert from Email Geeks (wise_laura) clarifies that emails are likely failing DMARC because they are not aligned, even if SPF and DKIM technically pass. She states it's not enough for SPF and DKIM to simply pass authentication; they must also be in the same domain space as the visible 'From' address for DMARC to be successful. This highlights the crucial distinction between authentication and alignment.

08 Apr 2020 - Email Geeks

Expert view

Expert from Word to the Wise warns that implementing DMARC, particularly moving to enforcement policies like quarantine or reject, carries the risk of self-inflicting deliverability problems. He emphasizes that DMARC is designed to reveal email streams that are not properly authenticated and aligned, which can surprise companies. This means that previously undiscovered misconfigurations or unauthorized sending sources will become apparent when a quarantine policy is put in place.

09 Sep 2017 - Word to the Wise

What the documentation says

Official DMARC documentation and related RFCs (Request for Comments) define how DMARC policies like 'quarantine' are intended to function and the underlying mechanisms of SPF and DKIM alignment. The documentation clarifies that DMARC's primary goal is to provide domain owners with a mechanism to protect their domain from unauthorized use (spoofing) by instructing receiving mail servers how to handle emails that fail authentication and alignment checks. It explicitly states the requirements for alignment, emphasizing that both SPF and DKIM must align with the 'From' header domain, not just pass individually.

Technical article

DMARC.org documentation explains that a DMARC policy of p=quarantine instructs recipient mail servers to accept emails that fail DMARC authentication, but place them into the recipient’s junk or spam folder. This policy is a step towards full enforcement and provides a safety net compared to outright rejection. It is intended to mitigate the risk of spoofing while allowing for further analysis by the recipient.

10 Mar 2023 - DMARC.org

Technical article

RFC 7489, which defines DMARC, clarifies that for an email to pass DMARC, it must pass either SPF or DKIM authentication, and the authenticated domain must align with the 'From' header domain. This alignment can be either 'relaxed' (matching organizational domains) or 'strict' (exact domain match). The RFC underscores that a failure in this alignment is a common reason for DMARC policy actions to be applied.

10 Mar 2015 - RFC 7489

8 resources

Start improving your email deliverability today

Get started