How to implement DMARC p=reject policy safely, especially when using ESPs like Mailchimp and GetResponse?

Summary

Safely implementing a DMARC `p=reject` policy, especially when using ESPs like Mailchimp and GetResponse, involves careful planning and a phased approach. A common recommendation is to begin with `p=none` to monitor email traffic, identify legitimate sources, and address any authentication issues. Subsequently, transition to `p=quarantine` before fully implementing `p=reject`. Due to ESPs often using their own Mail From domains, SPF alignment can be tricky, making DKIM alignment critical. Regular monitoring of DMARC reports is essential for identifying authentication failures. It is also important to look broader than Google PMT. Implementation should only occur after DKIM and SPF have passed on all legitimate emails. Consideration should be given to the point external factors can break DKIM signatures. And collaboration with ESPs to ensure SPF and DKIM alignment is vital. Also incremental adoption is a great way to test.

Key findings

  • DKIM Alignment Importance: If DKIM is aligned and passing consistently, it's generally safe to consider moving to `p=reject`, even if SPF alignment is challenging.
  • ESP SPF Challenges: Achieving SPF alignment can be difficult with ESPs like Mailchimp and GetResponse due to their use of their own sending domains.
  • Phased Implementation: A phased approach, starting with `p=none`, then `p=quarantine`, and finally `p=reject`, is crucial for a safe DMARC implementation.
  • DMARC Reporting is Essential: Regular DMARC reporting is vital for identifying authentication failures and misconfigurations, and broader than just Google PMT, needs insights from multiple providers.

Key considerations

  • Monitor Reports: Continuously monitor DMARC reports to identify and address authentication failures before implementing `p=reject`.
  • Proper Configuration: Carefully configure SPF and DKIM records, ensuring all legitimate sending sources are included.
  • Collaboration with ESPs: Work closely with ESPs to ensure proper SPF and DKIM alignment.
  • Gradual Implementation: Consider a gradual rollout of the `p=reject` policy, starting with a small percentage of emails.
  • Incremental Adoption: Adopt an incremental approach to implementation through constant testing and monitoring

What email marketers say
9Marketer opinions

Safely implementing a DMARC `p=reject` policy, especially with ESPs like Mailchimp and GetResponse, requires careful planning and monitoring. SPF alignment can be challenging with ESPs because they often use their own sending domains. A phased approach is recommended, starting with `p=none` to monitor traffic and identify legitimate sources, progressing to `p=quarantine`, and finally to `p=reject`. DMARC reporting tools are crucial for identifying authentication failures and misconfigurations. Working closely with ESPs to configure SPF and DKIM correctly is essential. Gradually increasing the `p=reject` percentage while monitoring reports provides a controlled rollout. Implementation should only occur after DKIM and SPF are passing for all legitimate emails.

Key opinions

  • SPF Alignment Challenges: SPF alignment can be difficult with ESPs like Mailchimp because they use their own sending domains.
  • Phased Implementation: A phased DMARC implementation is crucial for safety, progressing from `p=none` to `p=quarantine` to `p=reject`.
  • DMARC Reporting Importance: DMARC reporting tools provide essential insights into authentication failures and misconfigurations.
  • Collaboration with ESPs: Working closely with ESPs is necessary to ensure correct SPF and DKIM configurations.

Key considerations

  • Monitor DMARC Reports: Regularly monitor DMARC reports to identify and address authentication failures before enforcing the `p=reject` policy.
  • Proper SPF Configuration: Ensure your SPF records include all sending sources, including ESPs, and double-check the syntax for errors.
  • Gradual Rollout: Consider a gradual rollout of the `p=reject` policy, starting with a small percentage of emails and increasing it over time.
  • DKIM and SPF Passing: Only implement `p=reject` after confirming that DKIM and SPF are passing for all legitimate emails.
  • Analyze mail flow: Analyse mail flow to fully understand all email streams, internal, and external.
Marketer view

Email marketer from Email Geeks shares they start with `p=quarantine` for 2-3 weeks before moving to `p=reject`.

February 2025 - Email Geeks
Marketer view

Email marketer from Email Geeks says if the mail is from Mailchimp, SPF will never align because Mailchimp uses their domain in the return path.

September 2022 - Email Geeks
Marketer view

Email marketer from StackOverflow user recommends slowly implementing the reject policy by starting with a low percentage. They also said to increase it gradually while monitoring DMARC reports.

November 2023 - StackOverflow
Marketer view

Email marketer from Mailjet Blog highlights the importance of SPF and DKIM alignment when using DMARC with ESPs. They recommend ensuring that the ESP's sending domain is properly authorized in your SPF record or that DKIM signatures are correctly configured to align with your domain. Regular monitoring of DMARC reports is crucial to identify and address any authentication failures.

January 2024 - Mailjet Blog
Marketer view

Email marketer from Reddit user u/email_expert notes that when using ESPs like Mailchimp or GetResponse, SPF alignment can be tricky. Since these ESPs often use their own sending domains, achieving SPF alignment requires careful configuration and may involve using custom return-path settings or dedicated IPs.

March 2022 - Reddit
Marketer view

Email marketer from EasyDMARC suggests moving to reject only after DKIM and SPF have passed on all legitimate emails, and all emails have been monitored and analyzed.

September 2024 - EasyDMARC
Marketer view

Email marketer from SparkPost Blog underscores the value of DMARC reporting in identifying and addressing authentication failures. They suggest using DMARC reporting tools to gain insights into email traffic and identify any misconfigurations or unauthorized sending sources before implementing `p=reject`.

May 2023 - SparkPost Blog
Marketer view

Email marketer from Sendinblue Blog recommends starting with `p=none` and carefully analyzing DMARC reports to identify legitimate sending sources and authentication issues. They also advise working closely with ESPs to ensure SPF and DKIM are correctly configured to achieve alignment.

July 2022 - Sendinblue Blog
Marketer view

Email marketer from AuthSMTP Forum advises setting up SPF records properly, including all your sending sources (including ESPs), to ensure emails pass SPF checks. Also recommends double-checking the syntax of your SPF record, as errors can cause SPF failures, even if your sending sources are correctly listed.

June 2021 - AuthSMTP Forum

What the experts say
8Expert opinions

Implementing DMARC `p=reject` safely, particularly when using ESPs like Mailchimp and GetResponse, requires a strategic and phased approach. Although DKIM alignment is often sufficient, SPF alignment issues with ESPs, due to their use of separate sending domains, necessitate careful attention. Starting with `p=none` to gather data and understand email streams is crucial, followed by a move to `p=quarantine` before fully implementing `p=reject`. DMARC reports are vital for monitoring and identifying authentication failures. As well as Google PMT, broader views of recipient providers is needed. External factors can unexpectedly break DKIM signatures in transit. A gradual implementation using `pct=` can mitigate risks. Thorough understanding of both internal and third-party email streams is necessary to prevent the rejection of legitimate emails.

Key opinions

  • DKIM Alignment Importance: While SPF alignment can be challenging with ESPs, consistent DKIM alignment is a good starting point for implementing `p=reject`.
  • ESP SPF Challenges: ESPs often use their own Mail From domains, making SPF alignment complex and sometimes impossible (e.g., Mailchimp).
  • Phased Approach: A phased implementation is essential, starting with `p=none` for data collection, then `p=quarantine`, before moving to `p=reject`.
  • DMARC Reporting is Crucial: Regular DMARC reports are vital for identifying authentication failures and misconfigurations, as well as broader views of recipient providers, not just Google.

Key considerations

  • Monitor Authentication: Closely monitor DMARC reports to identify and address authentication issues before implementing `p=reject`.
  • Understand Email Streams: Thoroughly understand both internal and third-party email streams to ensure legitimate emails are not impacted by the reject policy.
  • Assess External Factors: Be aware that external factors beyond your control can potentially break DKIM signatures in transit.
  • Gradual Implementation: Consider using `pct=` to implement the `p=reject` policy gradually, monitoring reports closely.
  • Monitor DMARC compliance: Focus on the DMARC compliance stat, and identify the misconfigurations, before moving forward.
Expert view

Expert from Word to the Wise, Laura Atkins, emphasizes starting with a 'p=none' policy to gather data. Then moving to 'p=quarantine' and eventually 'p=reject' once you are confident in your DMARC configuration.

May 2021 - Word to the Wise
Expert view

Expert from Email Geeks suspects the SPF alignment issue arises because the mail is sent through an ESP, which uses its own Mail From domain. For Mailchimp, SPF alignment isn't possible. For GetResponse, it might be possible, but requires contacting support.

September 2022 - Email Geeks
Expert view

Expert from Email Geeks, Laura Atkins, explains there are factors beyond your control that could break DKIM signatures after the mail leaves your server. Expert from Email Geeks, Steve Atkins, adds that it's rare in 2021 for a delivery path to break DKIM without also breaking SPF.

March 2025 - Email Geeks
Expert view

Expert from Email Geeks explains that if DKIM is aligned and passing consistently, it's generally safe to move to `p=reject`. He recommends looking into why SPF isn't aligned, but it shouldn't prevent moving forward.

October 2022 - Email Geeks
Expert view

Expert from Email Geeks recommends focusing on the DMARC compliance stat to see failing messages and configuring them before moving forward. Also advises against relying solely on GPT and to look at the actual DMARC reports.

March 2022 - Email Geeks
Expert view

Expert from Email Geeks explains that GPT only shows data Google sees. To get a broader view, one should observe what a variety of different recipient mailbox providers are seeing.

October 2024 - Email Geeks
Expert view

Expert from Spam Resource, Dennis Dayman, emphasizes DMARC implementation in phases, including monitoring, quarantining, and then rejection. He highlights the importance of monitoring to fully understand your email streams, as well as third party streams, to ensure legitimate mail is not impacted.

January 2023 - Spam Resource
Expert view

Expert from Email Geeks says BIMI is a good reason for DMARC enforcement. Suggests using `pct=` to enforce on a fraction of the mailstream initially or watching DMARC reports for a few weeks on `p=quarantine` before moving to `p=reject`. Highlights that DMARC reports offer partial coverage and moving beyond `p=none` could discard legitimate mail, even with 100% positive reports.

May 2024 - Email Geeks

What the documentation says
4Technical articles

Implementing DMARC `p=reject` safely requires careful planning and a phased approach. Documentation consistently emphasizes the importance of starting with a `p=none` policy to monitor email traffic, identify legitimate sending sources, and address authentication issues. Moving to `p=quarantine` before `p=reject` provides an additional layer of safety. Thorough testing, monitoring, and working closely with ESPs to ensure proper SPF and DKIM configuration are crucial to avoid unintended consequences, such as blocking legitimate emails. An incremental adoption through testing and monitoring is highly advised.

Key findings

  • Phased Implementation: A phased approach (p=none -> p=quarantine -> p=reject) is essential for a safe DMARC implementation.
  • Monitoring and Testing: Thorough monitoring and testing are necessary before implementing `p=reject` to prevent blocking legitimate emails.
  • Collaboration with ESPs: Working closely with ESPs is critical to ensure proper SPF and DKIM configuration.

Key considerations

  • Start with p=none: Begin with a `p=none` policy to monitor email traffic and identify legitimate sources.
  • Address Authentication Issues: Identify and correct any authentication issues before enforcing the `p=reject` policy.
  • Monitor Email Traffic: Continuously monitor email traffic after implementing DMARC to identify and address any unexpected issues.
  • Incremental Adoption: Employ incremental adoption through testing and monitoring for safe DMARC implementation.
Technical article

Documentation from Google Workspace Admin Help explains the `p=reject` policy instructs recipient servers to reject emails that fail DMARC authentication. They emphasize the importance of thorough testing and monitoring before implementing this policy to avoid unintended consequences, such as blocking legitimate emails.

January 2025 - Google Workspace Admin Help
Technical article

Documentation from Microsoft details that DMARC `p=reject` is the strictest policy, advising it only be implemented after careful monitoring and testing. They also recommend working closely with ESPs to ensure proper SPF and DKIM configuration to avoid legitimate emails being blocked.

October 2021 - Microsoft Documentation
Technical article

Documentation from RFC7489 explains the importance of correctly implementing DMARC, SPF and DKIM for mail authentication and reporting. The best way to implement reject safely is through reporting and incremental adoption.

September 2021 - RFC Editor
Technical article

Documentation from DMARC.org advises a phased approach to DMARC implementation, starting with `p=none` to monitor email traffic and identify legitimate sources, then moving to `p=quarantine` before finally implementing `p=reject`. This allows organizations to identify and correct any authentication issues before enforcing a strict reject policy.

June 2024 - DMARC.org