What are the best practices for implementing a DMARC policy, and should you use reject or quarantine?
Summary
What email marketers say10Marketer opinions
Email marketer from EasyDMARC explains that immediately implementing a 'p=reject' policy without proper monitoring and analysis can lead to legitimate emails being blocked, potentially harming your business. They suggest starting with 'p=none' to gather data and identify any authentication issues.
Email marketer from Postmark recommends incrementally strengthening your DMARC policy over time. Starting with 'p=none' gives you visibility without impacting deliverability. Then move to 'p=quarantine' to test the waters, before fully enforcing with 'p=reject'.
Marketer from Email Geeks shares the importance of using percentage options when implementing a DMARC policy. He suggests starting with a low percentage of messages and gradually increasing it as confidence grows that no mail flows are impacted.
Marketer from Email Geeks advises starting with a quarantine policy before moving to reject, to identify any potential issues, unless you are sure email is only coming from one place, such as a new domain setup.
Marketer from Email Geeks suggests proceeding with caution and staying at p=none until sure that setting an enforcing policy won’t break legitimate email. He suggests there is no reason to rush.
Email marketer from Stackoverflow clarifies that a DMARC quarantine policy requests that emails failing authentication checks are placed in the recipient's spam folder. It is seen as an intermediate step between monitoring and full rejection.
Email marketer from URIports shares that choosing between 'reject' and 'quarantine' depends on your risk tolerance and the maturity of your email authentication setup. 'Reject' offers maximum protection against spoofing but requires careful monitoring, while 'quarantine' is a more cautious approach that still provides some level of protection.
Marketer from Email Geeks explains that the quarantine policy is still an enforcing policy that tells receivers to do something with non-aligned messages. He also notes that some ISPs don't distinguish between quarantine and reject.
Email marketer from Mailjet shares that implementing DMARC involves publishing a DMARC record in your DNS, monitoring DMARC reports to identify any deliverability issues, and gradually moving from 'p=none' to 'p=quarantine' or 'p=reject' as you gain confidence in your email authentication setup.
Email marketer from Reddit suggests that starting with a 'p=none' policy for a few weeks, then moving to 'p=quarantine' for a similar period, before finally implementing 'p=reject' is the safest approach. This allows you to identify and fix any authentication issues before they impact your deliverability.
What the experts say3Expert opinions
Expert from Word to the Wise shares that the usual best practice is to implement DMARC in stages, initially requesting "none", then graduating to quarantine, finally reject (if all goes well). Note, too, that there are services that can read the DMARC reports for you to determine the sources of unauthorized sending (spoofing)
Expert from Spamresource explains that a DMARC implementation needs to be done in stages: - You want to make sure you are sending authenticated mail before you implement it. - You have to have SPF and DKIM implemented first and tested and then DMARC. - Then you want to be watching the DMARC aggregate and forensic reports that are generated by your DMARC policy to see if something is amiss.
Expert from Email Geeks shares that those who professionally deploy DMARC use p=quarantine as an intermediate step, some even recommending p=quarantine pct=0.
What the documentation says4Technical articles
Documentation from Google explains that DMARC policies tell receiving mail servers what to do with messages from your domain that fail DMARC checks. Google recommends starting with a 'p=none' policy to monitor reports before transitioning to 'p=quarantine' or 'p=reject'.
Documentation from DMARC.org details the three policy options: none, quarantine, and reject. It clarifies that 'p=none' is for monitoring, 'p=quarantine' instructs receivers to place failing messages in spam folders, and 'p=reject' instructs receivers to refuse the message.
Documentation from AuthSMTP describes the purpose of each DMARC policy. None - allows you to gather data on your mail streams. Quarantine - instructs the receiver to place failing messages into a quarantine folder, typically the junk folder. Reject - instructs the receiver to reject the message outright.
Documentation from Microsoft advises that using DMARC with a 'p=reject' policy can help prevent spoofing and phishing attacks, but it also recommends carefully monitoring DMARC reports to ensure legitimate emails are not being blocked. They suggest a phased approach.