What are the best practices for implementing a DMARC policy, and should you use reject or quarantine?

Summary

Implementing a DMARC policy effectively is a multi-stage process. Experts and documentation alike recommend starting with 'p=none' to monitor your mail streams and gather data. Next, transitioning to 'p=quarantine' directs non-aligned messages to spam folders, serving as an intermediate step. Finally, 'p=reject' offers maximum protection against spoofing but necessitates careful monitoring to prevent blocking legitimate emails. Ensure SPF and DKIM are correctly configured prior to DMARC implementation. The decision between 'reject' and 'quarantine' should be based on your risk tolerance and the maturity of your authentication setup. Percentage options allow gradual policy enforcement. Remember some ISPs don't differentiate between quarantine and reject.

Key findings

  • Phased Approach: Implementing DMARC in stages (none, quarantine, reject) is widely recommended.
  • Importance of SPF and DKIM: SPF and DKIM must be implemented and tested before DMARC.
  • Monitoring is Crucial: Regularly monitoring DMARC reports is essential for identifying and addressing deliverability issues.
  • Policy Options: DMARC offers three policy options: none, quarantine, and reject, each serving a different purpose.
  • Enforcing Policy: Quarantine policy is still an enforcing policy that tells receivers to do something with non-aligned messages

Key considerations

  • Risk Tolerance: Consider your risk tolerance when choosing between 'reject' and 'quarantine'.
  • Potential for Blocking Legitimate Emails: Implementing 'reject' without proper monitoring can block legitimate emails.
  • Gradual Enforcement: Use percentage options for gradual policy enforcement.
  • Monitor reports: Remember to regularly monitor your DMARC aggregate and forensic reports.
  • ISPs treat differently: Some ISPs don't distinguish between quarantine and reject.

What email marketers say
10Marketer opinions

Implementing a DMARC policy effectively involves a phased approach, starting with monitoring ('p=none') to gather data and identify potential issues. Transitioning to 'p=quarantine' provides a middle ground by directing non-aligned messages to the spam folder, while 'p=reject' offers maximum protection but requires careful monitoring to avoid blocking legitimate emails. The choice between 'reject' and 'quarantine' depends on your risk tolerance and the maturity of your email authentication setup. Percentage options allow for gradual policy enforcement.

Key opinions

  • Phased Implementation: A gradual transition from 'p=none' to 'p=quarantine' and finally 'p=reject' is the safest approach.
  • Monitoring is Crucial: Monitoring DMARC reports is essential to identify and address any deliverability issues before fully enforcing a reject policy.
  • Quarantine as Intermediate Step: The 'quarantine' policy serves as an intermediate step, allowing you to assess the impact of DMARC enforcement before implementing a full 'reject' policy.
  • ISPs treat differently: Note that some ISPs don't distinguish between quarantine and reject.

Key considerations

  • Risk Tolerance: Your risk tolerance and the maturity of your email authentication infrastructure should influence your choice between 'reject' and 'quarantine'.
  • Potential for Blocking Legitimate Emails: Implementing a 'reject' policy without proper monitoring can lead to legitimate emails being blocked.
  • Gradual Enforcement: Using percentage options allows for gradual policy enforcement, minimizing potential disruptions.
  • SPF and DKIM: Make sure you are sending authenticated mail before you implement DMARC, you have to have SPF and DKIM implemented first and tested and then DMARC.
Marketer view

Email marketer from EasyDMARC explains that immediately implementing a 'p=reject' policy without proper monitoring and analysis can lead to legitimate emails being blocked, potentially harming your business. They suggest starting with 'p=none' to gather data and identify any authentication issues.

August 2024 - EasyDMARC
Marketer view

Email marketer from Postmark recommends incrementally strengthening your DMARC policy over time. Starting with 'p=none' gives you visibility without impacting deliverability. Then move to 'p=quarantine' to test the waters, before fully enforcing with 'p=reject'.

October 2023 - Postmark
Marketer view

Marketer from Email Geeks shares the importance of using percentage options when implementing a DMARC policy. He suggests starting with a low percentage of messages and gradually increasing it as confidence grows that no mail flows are impacted.

July 2022 - Email Geeks
Marketer view

Marketer from Email Geeks advises starting with a quarantine policy before moving to reject, to identify any potential issues, unless you are sure email is only coming from one place, such as a new domain setup.

November 2023 - Email Geeks
Marketer view

Marketer from Email Geeks suggests proceeding with caution and staying at p=none until sure that setting an enforcing policy won’t break legitimate email. He suggests there is no reason to rush.

May 2022 - Email Geeks
Marketer view

Email marketer from Stackoverflow clarifies that a DMARC quarantine policy requests that emails failing authentication checks are placed in the recipient's spam folder. It is seen as an intermediate step between monitoring and full rejection.

April 2021 - Stackoverflow
Marketer view

Email marketer from URIports shares that choosing between 'reject' and 'quarantine' depends on your risk tolerance and the maturity of your email authentication setup. 'Reject' offers maximum protection against spoofing but requires careful monitoring, while 'quarantine' is a more cautious approach that still provides some level of protection.

June 2021 - URIports
Marketer view

Marketer from Email Geeks explains that the quarantine policy is still an enforcing policy that tells receivers to do something with non-aligned messages. He also notes that some ISPs don't distinguish between quarantine and reject.

April 2021 - Email Geeks
Marketer view

Email marketer from Mailjet shares that implementing DMARC involves publishing a DMARC record in your DNS, monitoring DMARC reports to identify any deliverability issues, and gradually moving from 'p=none' to 'p=quarantine' or 'p=reject' as you gain confidence in your email authentication setup.

May 2023 - Mailjet
Marketer view

Email marketer from Reddit suggests that starting with a 'p=none' policy for a few weeks, then moving to 'p=quarantine' for a similar period, before finally implementing 'p=reject' is the safest approach. This allows you to identify and fix any authentication issues before they impact your deliverability.

February 2025 - Reddit

What the experts say
3Expert opinions

Experts recommend a multi-stage approach to DMARC implementation. This begins by ensuring proper email authentication (SPF and DKIM). Initially, a 'p=none' policy is advised for monitoring and data collection, followed by 'p=quarantine' as an intermediate step, and ultimately 'p=reject' if all checks pass. Monitoring DMARC reports is vital to identify and address any issues. Some experts suggest using 'p=quarantine pct=0' as an initial step, and there are external services available that can interpret DMARC reports to pinpoint sources of unauthorized sending.

Key opinions

  • Staged Implementation: Implementing DMARC in stages (none, quarantine, reject) is the best practice.
  • Importance of SPF and DKIM: SPF and DKIM must be implemented and tested before DMARC.
  • Monitoring is Essential: Regularly monitoring DMARC aggregate and forensic reports is crucial.
  • External services exist: Services that read DMARC reports and identify sources of unauthorized sending exist.

Key considerations

  • Use p=quarantine pct=0: Consider using 'p=quarantine pct=0' as an initial step.
  • Proper Authentication: Ensure your mail is properly authenticated before implementing DMARC.
  • Intermediate Quarantine Step: Use p=quarantine as an intermediate step before rejecting all unauthenticated mail.
Expert view

Expert from Word to the Wise shares that the usual best practice is to implement DMARC in stages, initially requesting "none", then graduating to quarantine, finally reject (if all goes well). Note, too, that there are services that can read the DMARC reports for you to determine the sources of unauthorized sending (spoofing)

September 2022 - Word to the Wise
Expert view

Expert from Spamresource explains that a DMARC implementation needs to be done in stages: - You want to make sure you are sending authenticated mail before you implement it. - You have to have SPF and DKIM implemented first and tested and then DMARC. - Then you want to be watching the DMARC aggregate and forensic reports that are generated by your DMARC policy to see if something is amiss.

November 2022 - Spamresource
Expert view

Expert from Email Geeks shares that those who professionally deploy DMARC use p=quarantine as an intermediate step, some even recommending p=quarantine pct=0.

August 2022 - Email Geeks

What the documentation says
4Technical articles

Technical documentation consistently recommends a phased DMARC implementation. This involves starting with a 'p=none' policy for monitoring and data collection, followed by a transition to either 'p=quarantine' (directing non-compliant emails to spam) or 'p=reject' (refusing such emails entirely). While 'p=reject' provides strong protection against spoofing and phishing, careful monitoring is crucial to avoid blocking legitimate emails.

Key findings

  • Policy Options: DMARC offers three policy options: none, quarantine, and reject.
  • Phased Approach: A phased implementation is recommended, starting with 'p=none'.
  • Reject for Spoofing Prevention: 'p=reject' helps prevent spoofing and phishing attacks.

Key considerations

  • Monitoring Importance: Carefully monitor DMARC reports to avoid blocking legitimate emails, especially with 'p=reject'.
  • Quarantine vs. Reject: 'p=quarantine' places failing messages in spam, while 'p=reject' refuses them entirely.
  • Data Collection: 'p=none' allows you to gather data on your mail streams before implementing stricter policies.
Technical article

Documentation from Google explains that DMARC policies tell receiving mail servers what to do with messages from your domain that fail DMARC checks. Google recommends starting with a 'p=none' policy to monitor reports before transitioning to 'p=quarantine' or 'p=reject'.

August 2022 - Google
Technical article

Documentation from DMARC.org details the three policy options: none, quarantine, and reject. It clarifies that 'p=none' is for monitoring, 'p=quarantine' instructs receivers to place failing messages in spam folders, and 'p=reject' instructs receivers to refuse the message.

October 2021 - DMARC.org
Technical article

Documentation from AuthSMTP describes the purpose of each DMARC policy. None - allows you to gather data on your mail streams. Quarantine - instructs the receiver to place failing messages into a quarantine folder, typically the junk folder. Reject - instructs the receiver to reject the message outright.

August 2024 - AuthSMTP
Technical article

Documentation from Microsoft advises that using DMARC with a 'p=reject' policy can help prevent spoofing and phishing attacks, but it also recommends carefully monitoring DMARC reports to ensure legitimate emails are not being blocked. They suggest a phased approach.

February 2023 - Microsoft