How do I physically change my DMARC record to "quarantine"?

To change your DMARC record, you need to access your domain's DNS settings, usually through your domain registrar or DNS hosting provider. Locate your existing DMARC TXT record and modify the "p=" tag from "none" to "quarantine". Save the changes, but be aware that DNS propagation can take some time.

Why does BIMI require a "quarantine" or "reject" DMARC policy?

BIMI requires a DMARC policy of "p=quarantine" or "p=reject" because these policies indicate that the domain owner is actively enforcing email authentication. A "p=none" policy only monitors email traffic and doesn't take action on unauthenticated mail, which is insufficient for the trust and security requirements of BIMI.

Should I transition from "none" to "quarantine" incrementally?

Yes, it is highly recommended to transition incrementally using the "pct=" tag. For example, start with "pct=10" (10% of failing emails are quarantined), then gradually increase to "pct=25", "pct=50", and finally "pct=100". This allows you to monitor DMARC reports at each stage and catch any unexpected issues with legitimate email delivery.

What if my legitimate emails go to spam after changing to "quarantine"?

If your legitimate emails start going to spam after changing to "p=quarantine", it indicates that some of your sending sources are not properly authenticating or aligning with your DMARC record. You'll need to review your DMARC reports (aggregate and forensic) to identify which sources are failing and then work with those senders to correct their SPF and DKIM configurations. You may need to revert to "p=none" or a lower "pct=" until the issues are resolved. More information can be found in our article: Why emails go to spam after DMARC quarantine .

What's the difference between "p=quarantine" and "p=reject"?

"P=quarantine" tells receiving mail servers to place unauthenticated emails in the recipient's spam or junk folder. "P=reject" instructs them to completely block or discard such emails. While "reject" offers stronger protection against spoofing, it carries a higher risk of blocking legitimate mail if not perfectly configured. For BIMI, either policy works, but "quarantine" is often the safer intermediate step before considering "reject".

How to change DMARC records from none to quarantine for BIMI? - Technical - Email deliverability - Knowledge base

Moving your DMARC policy from "none" to "quarantine" is a crucial step for strengthening your email security and, importantly, for enabling Brand Indicators for Message Identification (BIMI). While "p=none" allows you to monitor your email traffic without affecting delivery, BIMI requires an enforcing policy like "p=quarantine" or "p=reject" to display your brand logo in the inbox. This transition requires careful planning and monitoring to avoid legitimate emails being marked as spam or blocked outright.

Many organizations begin their DMARC journey with a "none" policy, gathering valuable insights from DMARC reports to understand their email ecosystem. This initial phase helps identify all legitimate sending sources and any unauthorized use of your domain. Before moving to an enforcement policy, it is essential to ensure all your legitimate email senders are properly authenticated with SPF and DKIM and that these protocols are aligned with your DMARC policy. Failing to do so can lead to deliverability issues once the policy is enforced.

Suped DMARC monitoring

Free forever, no credit card required

Learn more

Trusted by teams securing millions of inboxes

Prerequisites for DMARC policy enforcement

The foundation of a successful DMARC policy transition relies on robust email authentication. SPF (Sender Policy Framework) and DKIM (DomainKeys Identified Mail) are the pillars that DMARC builds upon. SPF allows domain owners to specify which mail servers are authorized to send email on their behalf, while DKIM uses digital signatures to verify the sender's identity and ensure message integrity. Both must be correctly configured and, crucially, aligned with your DMARC domain.

Reviewing your DMARC aggregate reports (RUA reports) during the "p=none" phase is paramount. These reports provide a comprehensive overview of who is sending email using your domain, whether those emails pass SPF and DKIM, and if they align with your DMARC record. Pay close attention to any legitimate sending sources that are failing authentication or alignment. You cannot progress to an enforcing policy until these issues are resolved. Often, this means working with your email service providers (ESPs) or internal mail servers to ensure they are configured correctly.

If you encounter third-party email senders that do not support SPF or DKIM alignment, you may need to consider alternative vendors or adjust your sending practices. It's vital that all your authorized email traffic authenticates and aligns correctly. This diligent preparation prevents unintended mail delivery failures when you move to a "quarantine" policy, where receiving mail servers will take action on unauthenticated messages. You can learn more about how to set up DMARC records and reporting.

For a deeper understanding of the DMARC record, refer to a list of DMARC tags and their meanings. This can help you interpret your current record and plan your transition effectively.

Updating your DMARC record to quarantine

Once you are confident that all your legitimate email traffic is correctly authenticated and aligned, you can proceed with updating your DMARC record. The change involves modifying the "p=" tag in your DMARC DNS TXT record from "none" to "quarantine." This tells receiving mail servers to place emails that fail DMARC authentication into the recipient's spam or junk folder.

Here is an example of what your DMARC record might look like before and after the change:

DMARC Record Update ExampleDNS

Before: v=DMARC1; p=none; rua=mailto:dmarc_reports@yourdomain.com; ruf=mailto:dmarc_forensics@yourdomain.com; fo=1;

After: v=DMARC1; p=quarantine; rua=mailto:dmarc_reports@yourdomain.com; ruf=mailto:dmarc_forensics@yourdomain.com; fo=1;

The change itself is simple, but the impact can be significant. It is highly recommended to transition incrementally, especially for domains with large email volumes or complex sending infrastructures. You can use the "pct=" tag (percentage) in your DMARC record to gradually enforce the policy, starting with a small percentage and increasing it over time. For example, gradually increase the enforcement rather than all at once. This phased approach allows you to monitor DMARC reports for any unforeseen issues and adjust your configurations as needed. For more about this, consider reading about safely transitioning your DMARC policy.

Why "quarantine" is essential for BIMI and security

The primary reason many organizations shift to a "quarantine" policy is to meet the requirements for BIMI. BIMI allows you to display your brand's logo next to your authenticated emails in supported inboxes, enhancing brand recognition and trust. For BIMI to work, your DMARC policy must be set to either "p=quarantine" or "p=reject", as "p=none" is not sufficient.

Beyond BIMI, moving to "p=quarantine" significantly improves your domain's protection against phishing and spoofing. With a "none" policy, unauthenticated emails are still delivered to the inbox, making your brand vulnerable to impersonation. A "quarantine" policy tells receiving mail servers to treat unauthenticated emails as suspicious, moving them to the spam folder or holding them for further review. This proactive measure reduces the risk of your customers falling victim to malicious emails disguised as coming from your domain.

It also plays a role in improving your overall email deliverability and sender reputation. Mailbox providers, such as Google and Yahoo, increasingly favor domains with enforced DMARC policies, viewing them as more trustworthy. A strong DMARC policy signals to these providers that you are actively working to protect your domain and recipients from abuse, which can lead to better inbox placement and reduced chances of being caught by spam filters or even placed on an email blocklist (or blacklist).

The benefits of implementing DMARC extend beyond BIMI, contributing to a more secure and reputable email sending environment.

Post-transition monitoring and best practices

Even after transitioning to a "quarantine" policy, continuous monitoring is non-negotiable. DMARC aggregate reports will continue to provide valuable data, allowing you to confirm that your legitimate emails are still being delivered as expected and that unauthenticated mail is being appropriately quarantined. Look for any unexpected spikes in DMARC failures or shifts in your email delivery rates. This ongoing vigilance helps you quickly identify and address any new issues that might arise, such as changes in your sending infrastructure or the introduction of new third-party senders.

Maintaining accurate and up-to-date documentation of your DMARC policy and email sending practices is also crucial. As your email ecosystem evolves, you may add new services or change existing ones. Regularly updating your internal Standard Operating Procedures (SOPs) ensures that everyone involved in email operations understands the DMARC requirements and how to maintain compliance. This proactive approach helps prevent future DMARC failures and ensures your BIMI logo continues to display reliably.

While "quarantine" is a strong policy, some organizations eventually aim for "p=reject" for the highest level of protection. This policy instructs receiving servers to outright reject emails that fail DMARC authentication, preventing them from even reaching the spam folder. However, moving to "reject" should only be considered after a long period of stable operation with a "quarantine" policy and with 100% confidence in your DMARC alignment and authentication across all legitimate sending sources. Learn more about the specific DMARC policy settings required for BIMI.

Final thoughts on your DMARC policy

Transitioning your DMARC policy from "none" to "quarantine" is a critical step for enhancing your email security posture and unlocking the visual benefits of BIMI. This process, while seemingly straightforward, demands meticulous preparation, continuous monitoring, and a deep understanding of your email sending ecosystem. By ensuring proper SPF and DKIM authentication, carefully analyzing DMARC reports, and incrementally enforcing your policy, you can successfully implement "p=quarantine" without disrupting your legitimate email flow. This move not only safeguards your brand from malicious spoofing and phishing attempts but also boosts your email deliverability and strengthens your brand's presence in the inbox.

Remember, the goal is to protect your domain and recipients while ensuring your legitimate communications always reach their intended audience. The journey from "none" to "quarantine" is an investment in your email deliverability and overall brand trust. For those seeking to enable BIMI, this transition is a non-negotiable requirement. For more information, you might find this BIMI implementation guide helpful.

Navigating the complexities of email authentication and deliverability can be challenging. Staying informed about best practices and leveraging tools for DMARC reporting and monitoring can make this process much smoother. Your commitment to a stronger DMARC policy ultimately strengthens your entire email presence.

Views from the trenches

Best practices

Review DMARC aggregate reports thoroughly to identify all legitimate sending sources for your domain.

Ensure all identified email sources consistently pass SPF and DKIM authentication with proper DMARC alignment.

Consider a phased rollout using the 'pct=' tag to gradually increase your DMARC enforcement percentage.

Monitor your DMARC reports daily after each policy change to quickly detect and resolve any issues.

Update internal documentation and SOPs to reflect the new DMARC policy and associated requirements.

Common pitfalls

Not thoroughly validating SPF and DKIM alignment for all legitimate senders before changing the policy.

Switching directly from p=none to p=quarantine without incremental testing, leading to email delivery disruptions.

Overlooking unaligned third-party senders that may fail DMARC once the policy is enforced.

Failing to continuously monitor DMARC reports after the policy change, missing potential deliverability issues.

Ignoring the 'fo=' tag, which defines how forensic reports are generated, impacting troubleshooting capabilities.

Expert tips

Use a DMARC reporting service to easily visualize and analyze your aggregate reports for clearer insights.

Prioritize fixing authentication and alignment issues for high-volume senders first to minimize impact.

Communicate proactively with stakeholders about the DMARC policy change and its potential impact.

Always maintain a backup of your previous DMARC record before making any changes to your DNS.

Consider engaging with your ESPs to ensure they fully support DMARC alignment for your sending domain.

Expert view

Expert from Email Geeks says implementing BIMI or an enforcing DMARC policy follows the same process, which involves reviewing DMARC aggregate reports to identify email sources and ensuring all sources have aligned SPF and DKIM. If some vendors don't support this, consider replacing them. Once aligned, switch over and closely monitor your reports for any problems, updating internal SOPs to reflect DMARC use.

2021-10-05 - Email Geeks

Marketer view

Marketer from Email Geeks says having a service to easily visualize DMARC reports is helpful, and it is critical not to rush from a p=none policy to an enforcing policy to avoid breaking legitimate mail.

2021-10-05 - Email Geeks