When and why should I switch from DMARC p=none to p=quarantine or p=reject?

Summary

The widespread consensus from experts, marketers, and documentation is that transitioning from a DMARC policy of p=none to p=quarantine or p=reject should only occur after careful monitoring and analysis of DMARC reports. This involves verifying that all legitimate email sources are properly authenticated via SPF and DKIM and understanding your email ecosystem. This phased approach is crucial to prevent mail loss, avoid disrupting legitimate email flow, and minimize the risk of false positives. A gradual transition is recommended, and the entire process should be treated as a continuous journey rather than a one-time switch.

Key findings

  • Monitoring is Paramount: Thorough monitoring and analysis of DMARC reports are essential before enforcing stricter DMARC policies.
  • Authentication Validation: Ensure all legitimate email sources are correctly authenticated using SPF and DKIM.
  • Understanding Ecosystem: A comprehensive understanding of your email ecosystem is vital to avoid unintended consequences.
  • Gradual Transition: Implementing a gradual transition allows for adjustments and minimizes disruption.
  • Iterative Journey: DMARC implementation should be viewed as a continuous journey of improvement.

Key considerations

  • Potential Mail Loss: Enforcing DMARC without proper preparation can lead to significant mail loss, impacting deliverability.
  • Impact on Recipients: Consider how the policy change will affect different recipient demographics and email infrastructures.
  • Reporting and Tools: Evaluate the necessity for commercial DMARC monitoring services to gain comprehensive insights.
  • Bad Actor Exploitation: Weigh the risks of bad actors exploiting a p=none policy against the potential disruption from stricter enforcement.
  • Indirect Flows: Account for indirect mail flows that may not be easily fixable and could lead to lost recipients.
  • SPF/DKIM Testing: Thoroughly test SPF and DKIM records before switching from p=none.

What email marketers say
7Marketer opinions

The consensus is that transitioning from DMARC p=none to p=quarantine or p=reject should only occur after a thorough monitoring and analysis period. This involves verifying that all legitimate email sources are correctly authenticated using SPF and DKIM, and that unauthorized use is properly identified and blocked. The process is iterative, requiring continuous assessment and adjustment based on DMARC report data. A gradual approach, starting with quarantine and progressively increasing enforcement, is generally recommended to minimize disruptions to legitimate email traffic.

Key opinions

  • Monitoring is Crucial: Continuous monitoring of DMARC reports is essential to identify and correct authentication issues before enforcing stricter policies.
  • Verify Authentication: Ensure all legitimate email sources are properly authenticated via SPF and DKIM before transitioning to p=quarantine or p=reject.
  • Iterative Process: DMARC implementation is a journey, requiring ongoing assessment and adjustment based on observed data.
  • Avoid Rushing: Rushing the transition can negatively impact email deliverability and disrupt legitimate email flow.

Key considerations

  • Impact Assessment: Thoroughly assess the potential impact of stricter policies on legitimate email traffic to avoid false positives.
  • Gradual Enforcement: Consider starting with a small percentage of enforcement and gradually increasing it to minimize disruptions.
  • SPF and DKIM: Carefully test and validate SPF and DKIM records to ensure proper authentication before enforcing DMARC policies.
  • Impact on deliverability: Changing your DMARC settings too soon may have a negative impact on your deliverability.
Marketer view

Email marketer from proofpoint.com shares that the DMARC implementation should be treated as a journey not a destination. Proceed cautiously but use what you learn while monitoring effectively to move the ball forward and specific actions should be inspired by the results of what you see while monitoring.

December 2021 - proofpoint.com
Marketer view

Email marketer from StackExchange explains that you should only switch from p=none after carefully testing SPF and DKIM records. They also recommend you need to watch your DMARC reports for a while to ensure all legitimate email is being correctly authenticated and the bad email is being blocked. You can then start with 'quarantine' before moving to 'reject'.

February 2024 - StackExchange
Marketer view

Email marketer from postmarkapp.com responds that you should move to p=quarantine or p=reject once you are certain that you have identified and corrected all authentication issues and that all legitimate email is properly authenticated. They caution against rushing the process to avoid negatively impacting email deliverability.

October 2022 - postmarkapp.com
Marketer view

Email marketer from MXToolbox responds that you should only transition to p=quarantine or p=reject once you have thoroughly assessed the impact of a stricter policy on your legitimate email traffic. Before transitioning to p=quarantine or p=reject, you should analyze your DMARC aggregate reports to ensure that all legitimate sources have implemented SPF and DKIM correctly.

February 2023 - mxtoolbox.com
Marketer view

Email marketer from valimail.com explains that transitioning to a `reject` or `quarantine` policy should occur when you are confident that all legitimate email sources are authenticating correctly and any unauthorized use is blocked. This requires careful monitoring and adjustment of your DMARC settings.

November 2024 - valimail.com
Marketer view

Email marketer from Spamhaus shares that after initially setting the policy to p=none, it should be set to p=quarantine when you have verified that all emails from your domain are properly authenticated (i.e. they have passed both the SPF and DKIM checks). This will make sure that all unauthenticated emails are delivered to the recipient's spam folder. It should then be set to p=reject when you are confident enough that only authentic emails are sent from your domain.

May 2021 - spamhaus.org
Marketer view

Email marketer from Reddit shares that they suggest that you should wait until you have analyzed DMARC reports for a period of time (e.g., 30-60 days) and are confident that legitimate email is properly authenticated before moving to quarantine or reject. They also recommend starting with a small percentage of enforcement and gradually increasing it.

July 2022 - Reddit

What the experts say
5Expert opinions

Experts agree that transitioning from DMARC p=none to p=quarantine or p=reject necessitates careful monitoring and analysis of DMARC reports to ensure all legitimate email sources are correctly authenticated. Enforcing DMARC without proper preparation can lead to mail loss, depending on infrastructure and recipient demographics. A monitoring period with p=none is essential to understand mail flows and address authentication issues. While p=none provides limited protection, increasing awareness of its exploitation by bad actors is driving companies toward stricter policies, making it a temporary step toward full enforcement.

Key opinions

  • Monitoring is Key: Thorough monitoring and analysis of DMARC reports are crucial before enforcing stricter policies.
  • Authentication is Essential: Ensure all legitimate email sources are correctly authenticated via SPF and DKIM to prevent disruptions.
  • Potential for Mail Loss: Enforcing DMARC can lead to mail loss, especially if infrastructure and authentication are not properly configured.
  • Temporary Nature of p=none: Awareness of exploitation is making p=none a temporary measure, prompting a move toward enforcement.

Key considerations

  • Recipient Impact: Consider the impact on different recipient demographics and email infrastructures when enforcing DMARC.
  • Reporting Tools: Evaluate the need for commercial DMARC monitoring services to gain comprehensive insights into email flows.
  • Bad Actor Exploitation: Weigh the risks of leaving the policy on p=none due to bad actors actively hunting for p=none policies to exploit
  • Indirect Flows: Acknowledge that indirect mail flows may be unfixable and will result in lost recipients with strict enforcement
Expert view

Expert from Spamresource explains that moving to p=quarantine or p=reject should be done only after careful monitoring and analysis of DMARC reports. It's crucial to ensure that all legitimate email sources are correctly authenticated to avoid unintended consequences.

November 2021 - Spam Resource
Expert view

Expert from Word to the Wise explains that DMARC deployment includes a monitoring period (p=none) to determine if all legitimate mail sources are authenticating correctly before stricter enforcement (p=quarantine or p=reject). Without this monitoring phase, legitimate emails may be blocked or marked as spam, causing business disruption.

June 2022 - Word to the Wise
Expert view

Expert from Email Geeks shares that to read DMARC reports, one should examine the percentage of mail authenticated via SPF and DKIM for each recipient. Consistent 100% authentication is ideal. Investigate discrepancies to identify indirect mail flows or illegitimate mail failing DMARC. Indirect flows are often unfixable and will result in lost recipients upon enforcement. Good reporting is essential but typically requires a commercial DMARC monitoring service.

December 2023 - Email Geeks
Expert view

Expert from Email Geeks at Valimail suggests that increasing awareness of bad actors exploiting p=none policies is driving some companies to adopt more secure DMARC configurations. He suggests p=none should be a temporary stop on the way to enforcing policies.

October 2021 - Email Geeks
Expert view

Expert from Email Geeks explains that enforcing DMARC can lead to mail loss, potentially upwards of 20% for some senders, depending on infrastructure and recipient demographics. Before enforcing, monitor DMARC reporting with p=none to understand mail flows and ensure all are DKIM signed, which could take weeks to months depending on complexity. After deciding to enforce, continue monitoring reports. There are varying theories on how to implement enforcement, from immediate p=reject to gradual transitions.

May 2024 - Email Geeks

What the documentation says
4Technical articles

Documentation from multiple sources consistently advises transitioning from DMARC p=none to p=quarantine or p=reject only after thoroughly monitoring email traffic, ensuring legitimate email sources are properly authenticated, and gaining a comprehensive understanding of your email ecosystem. This phased approach helps identify and resolve authentication issues before enforcing stricter policies, thus minimizing the risk of disrupting legitimate email flow and preventing false positives.

Key findings

  • Prioritize Monitoring: Monitoring email traffic with p=none is a prerequisite for a successful DMARC transition.
  • Authentication Verification: Verifying the proper authentication of all legitimate email sources is essential before enforcing stricter DMARC policies.
  • Ecosystem Understanding: A thorough understanding of your email ecosystem is crucial to avoid unintended consequences during the transition.
  • Prevent Disruption: The transition strategy should aim to minimize disruptions to legitimate email flow.

Key considerations

  • Visibility into Traffic: Gain sufficient visibility into your email traffic patterns before making policy changes.
  • False Positive Prevention: Implement measures to prevent false positives and ensure legitimate emails are not incorrectly flagged as spam.
  • Impact Assessment: Understand the potential impact of DMARC enforcement on your email delivery.
  • Iterative Approach: Phased transition from p=none to p=quarantine or p=reject requires constant learning and making adjustments as the landscape changes.
Technical article

Documentation from dmarcian.com explains that transitioning from p=none to p=quarantine/reject should occur after thoroughly monitoring reports and ensuring legitimate email sources are properly authenticated. They advise starting with p=none to observe email traffic and identify authentication issues before enforcing stricter policies.

August 2021 - dmarcian.com
Technical article

Documentation from Microsoft explains that you should transition from `p=none` to `p=quarantine` and eventually `p=reject` once you have validated that legitimate email sources are properly authenticating and that you understand the potential impact on email delivery. Microsoft says that monitoring the reports is key to a succesful implementation of DMARC.

June 2021 - microsoft.com
Technical article

Documentation from dmarc.org shares the recommendation is to monitor with p=none first and then transition to quarantine or reject policies once you have a thorough understanding of your email ecosystem and are confident in your authentication setup. This helps avoid disrupting legitimate email flow.

November 2022 - dmarc.org
Technical article

Documentation from Google Workspace Admin Help explains that transitioning from `p=none` to a stricter policy like `p=quarantine` or `p=reject` is recommended once you have gained enough visibility into your email traffic and ensured that all legitimate email sources are properly authenticated. This approach helps prevent false positives and ensures legitimate emails are not blocked or marked as spam.

June 2023 - support.google.com