What DMARC settings should I use and what are the implications of using p=reject?
Summary
What email marketers say11Marketer opinions
Email marketer from Valimail shares that starting with 'p=none' is a recommended practice. This allows you to monitor DMARC reports and identify any legitimate email sources that are failing authentication before moving to a stricter policy like 'p=quarantine' or 'p=reject'.
Email marketer from Spamhaus explains that while DMARC helps protect against direct spoofing, it doesn't automatically prevent you from being blocklisted for other spam-related issues. You still need to maintain good sending practices.
Email marketer from Mailhardener stresses that DMARC, particularly with 'p=reject', significantly improves email deliverability by preventing spoofing and phishing attacks, thereby enhancing sender reputation with email providers.
Email marketer from GlockApps emphasizes the critical role of DMARC reporting (both aggregate and forensic) in understanding the impact of your DMARC policy. States that monitoring reports is crucial for identifying authentication failures and making informed decisions about your DMARC policy.
Email marketer from Proofpoint explains that DMARC implementation involves phases. Starting with monitoring ('p=none'), then quarantining ('p=quarantine') a percentage of failing emails before finally rejecting all failing emails ('p=reject'). They emphasise the importance of monitoring reports at each stage.
Email marketer from Email Marketing Forum user advises to ensure all email sending sources (ESP, CRM, etc.) are properly authenticated with SPF and DKIM before setting DMARC to 'p=reject' to avoid inadvertently blocking legitimate emails. Provides examples of common misconfigurations.
Email marketer from Postmark shares the value of a phased approach to DMARC, starting with a monitoring phase, then gradually increasing enforcement. Doing this helps to ensure legitimate email isn't blocked by an overly aggressive DMARC policy.
Email marketer from Email Geeks recommends removing 'pct=100' from the DMARC record (as it's the default) and adding a 'rua' tag for aggregate reports.
Email marketer from EasyDMARC warns that implementing 'p=reject' prematurely can result in legitimate emails being blocked if SPF or DKIM are not properly configured or if third-party services are not correctly authenticating email. Careful auditing is crucial.
Email marketer from Reddit user shares their experience implementing p=reject, highlighting the initial challenges of identifying and correcting misconfigured email sources but ultimately noting a significant reduction in spoofed emails and improved domain reputation. Recommends starting with p=none and ramping up slowly.
Email marketer from ZeroBounce advises the importance of DMARC alignment (SPF and DKIM passing) for messages to pass DMARC authentication. Describes how even a 'p=none' policy can still impact deliverability if there are alignment issues.
What the experts say5Expert opinions
Expert from Word to the Wise shares the implication of using p=reject, noting it tells receivers to reject messages failing authentication. This requires ensuring your legitimate email is properly authenticated to prevent deliverability problems, highlighting the importance of monitoring and correctly configuring SPF and DKIM.
Expert from Email Geeks shares a cautionary tale about a company (Crayola's parent company) that implemented 'p=reject' without proper support, guidance, or reporting, leading to deliverability issues.
Expert from Email Geeks confirms that the DMARC setting 'p=reject' is valid and stronger than 'p=none', which is the minimum requirement.
Expert from Email Geeks explains that using DMARC reject without reporting is an advanced practice and advises caution, though he admits to using it himself.
Expert from Spam Resource explains that deploying DMARC involves understanding your email streams and ensuring proper SPF and DKIM setup before enforcing policies like p=reject. He recommends starting with p=none to monitor traffic and identify any legitimate sending sources that need correction.
What the documentation says4Technical articles
Documentation from DMARC.org explains that using 'p=reject' instructs recipient mail servers to reject emails that fail DMARC authentication. This provides the strongest level of protection against spoofing but requires careful monitoring to avoid blocking legitimate email.
Documentation from RFC 7489, the official DMARC specification, formally defines the 'p' tag and its possible values ('none', 'quarantine', 'reject'), detailing the expected behavior of receiving mail servers for each policy option. This is the definitive source for understanding DMARC policy implementation.
Documentation from Google Workspace Admin Help explains that the DMARC policy ('p' tag) tells the recipient's mail server what to do with messages that fail DMARC checks. Options include 'none' (take no action), 'quarantine' (mark as spam), and 'reject' (block the message).
Documentation from Microsoft provides an example of a DMARC record with the 'p=reject' policy, illustrating its placement within the overall record structure and its interaction with other tags like 'rua' (reporting URI for aggregate reports) and 'ruf' (reporting URI for forensic reports).