How to implement DMARC p=reject policy safely, especially when using ESPs like Mailchimp and GetResponse?
Summary
What email marketers say9Marketer opinions
Email marketer from Email Geeks shares they start with `p=quarantine` for 2-3 weeks before moving to `p=reject`.
Email marketer from Email Geeks says if the mail is from Mailchimp, SPF will never align because Mailchimp uses their domain in the return path.
Email marketer from StackOverflow user recommends slowly implementing the reject policy by starting with a low percentage. They also said to increase it gradually while monitoring DMARC reports.
Email marketer from Mailjet Blog highlights the importance of SPF and DKIM alignment when using DMARC with ESPs. They recommend ensuring that the ESP's sending domain is properly authorized in your SPF record or that DKIM signatures are correctly configured to align with your domain. Regular monitoring of DMARC reports is crucial to identify and address any authentication failures.
Email marketer from Reddit user u/email_expert notes that when using ESPs like Mailchimp or GetResponse, SPF alignment can be tricky. Since these ESPs often use their own sending domains, achieving SPF alignment requires careful configuration and may involve using custom return-path settings or dedicated IPs.
Email marketer from EasyDMARC suggests moving to reject only after DKIM and SPF have passed on all legitimate emails, and all emails have been monitored and analyzed.
Email marketer from SparkPost Blog underscores the value of DMARC reporting in identifying and addressing authentication failures. They suggest using DMARC reporting tools to gain insights into email traffic and identify any misconfigurations or unauthorized sending sources before implementing `p=reject`.
Email marketer from Sendinblue Blog recommends starting with `p=none` and carefully analyzing DMARC reports to identify legitimate sending sources and authentication issues. They also advise working closely with ESPs to ensure SPF and DKIM are correctly configured to achieve alignment.
Email marketer from AuthSMTP Forum advises setting up SPF records properly, including all your sending sources (including ESPs), to ensure emails pass SPF checks. Also recommends double-checking the syntax of your SPF record, as errors can cause SPF failures, even if your sending sources are correctly listed.
What the experts say8Expert opinions
Expert from Word to the Wise, Laura Atkins, emphasizes starting with a 'p=none' policy to gather data. Then moving to 'p=quarantine' and eventually 'p=reject' once you are confident in your DMARC configuration.
Expert from Email Geeks suspects the SPF alignment issue arises because the mail is sent through an ESP, which uses its own Mail From domain. For Mailchimp, SPF alignment isn't possible. For GetResponse, it might be possible, but requires contacting support.
Expert from Email Geeks, Laura Atkins, explains there are factors beyond your control that could break DKIM signatures after the mail leaves your server. Expert from Email Geeks, Steve Atkins, adds that it's rare in 2021 for a delivery path to break DKIM without also breaking SPF.
Expert from Email Geeks explains that if DKIM is aligned and passing consistently, it's generally safe to move to `p=reject`. He recommends looking into why SPF isn't aligned, but it shouldn't prevent moving forward.
Expert from Email Geeks recommends focusing on the DMARC compliance stat to see failing messages and configuring them before moving forward. Also advises against relying solely on GPT and to look at the actual DMARC reports.
Expert from Email Geeks explains that GPT only shows data Google sees. To get a broader view, one should observe what a variety of different recipient mailbox providers are seeing.
Expert from Spam Resource, Dennis Dayman, emphasizes DMARC implementation in phases, including monitoring, quarantining, and then rejection. He highlights the importance of monitoring to fully understand your email streams, as well as third party streams, to ensure legitimate mail is not impacted.
Expert from Email Geeks says BIMI is a good reason for DMARC enforcement. Suggests using `pct=` to enforce on a fraction of the mailstream initially or watching DMARC reports for a few weeks on `p=quarantine` before moving to `p=reject`. Highlights that DMARC reports offer partial coverage and moving beyond `p=none` could discard legitimate mail, even with 100% positive reports.
What the documentation says4Technical articles
Documentation from Google Workspace Admin Help explains the `p=reject` policy instructs recipient servers to reject emails that fail DMARC authentication. They emphasize the importance of thorough testing and monitoring before implementing this policy to avoid unintended consequences, such as blocking legitimate emails.
Documentation from Microsoft details that DMARC `p=reject` is the strictest policy, advising it only be implemented after careful monitoring and testing. They also recommend working closely with ESPs to ensure proper SPF and DKIM configuration to avoid legitimate emails being blocked.
Documentation from RFC7489 explains the importance of correctly implementing DMARC, SPF and DKIM for mail authentication and reporting. The best way to implement reject safely is through reporting and incremental adoption.
Documentation from DMARC.org advises a phased approach to DMARC implementation, starting with `p=none` to monitor email traffic and identify legitimate sources, then moving to `p=quarantine` before finally implementing `p=reject`. This allows organizations to identify and correct any authentication issues before enforcing a strict reject policy.