When and why should I switch from DMARC p=none to p=quarantine or p=reject?
Summary
What email marketers say7Marketer opinions
Email marketer from proofpoint.com shares that the DMARC implementation should be treated as a journey not a destination. Proceed cautiously but use what you learn while monitoring effectively to move the ball forward and specific actions should be inspired by the results of what you see while monitoring.
Email marketer from StackExchange explains that you should only switch from p=none after carefully testing SPF and DKIM records. They also recommend you need to watch your DMARC reports for a while to ensure all legitimate email is being correctly authenticated and the bad email is being blocked. You can then start with 'quarantine' before moving to 'reject'.
Email marketer from postmarkapp.com responds that you should move to p=quarantine or p=reject once you are certain that you have identified and corrected all authentication issues and that all legitimate email is properly authenticated. They caution against rushing the process to avoid negatively impacting email deliverability.
Email marketer from MXToolbox responds that you should only transition to p=quarantine or p=reject once you have thoroughly assessed the impact of a stricter policy on your legitimate email traffic. Before transitioning to p=quarantine or p=reject, you should analyze your DMARC aggregate reports to ensure that all legitimate sources have implemented SPF and DKIM correctly.
Email marketer from valimail.com explains that transitioning to a `reject` or `quarantine` policy should occur when you are confident that all legitimate email sources are authenticating correctly and any unauthorized use is blocked. This requires careful monitoring and adjustment of your DMARC settings.
Email marketer from Spamhaus shares that after initially setting the policy to p=none, it should be set to p=quarantine when you have verified that all emails from your domain are properly authenticated (i.e. they have passed both the SPF and DKIM checks). This will make sure that all unauthenticated emails are delivered to the recipient's spam folder. It should then be set to p=reject when you are confident enough that only authentic emails are sent from your domain.
Email marketer from Reddit shares that they suggest that you should wait until you have analyzed DMARC reports for a period of time (e.g., 30-60 days) and are confident that legitimate email is properly authenticated before moving to quarantine or reject. They also recommend starting with a small percentage of enforcement and gradually increasing it.
What the experts say5Expert opinions
Expert from Spamresource explains that moving to p=quarantine or p=reject should be done only after careful monitoring and analysis of DMARC reports. It's crucial to ensure that all legitimate email sources are correctly authenticated to avoid unintended consequences.
Expert from Word to the Wise explains that DMARC deployment includes a monitoring period (p=none) to determine if all legitimate mail sources are authenticating correctly before stricter enforcement (p=quarantine or p=reject). Without this monitoring phase, legitimate emails may be blocked or marked as spam, causing business disruption.
Expert from Email Geeks shares that to read DMARC reports, one should examine the percentage of mail authenticated via SPF and DKIM for each recipient. Consistent 100% authentication is ideal. Investigate discrepancies to identify indirect mail flows or illegitimate mail failing DMARC. Indirect flows are often unfixable and will result in lost recipients upon enforcement. Good reporting is essential but typically requires a commercial DMARC monitoring service.
Expert from Email Geeks at Valimail suggests that increasing awareness of bad actors exploiting p=none policies is driving some companies to adopt more secure DMARC configurations. He suggests p=none should be a temporary stop on the way to enforcing policies.
Expert from Email Geeks explains that enforcing DMARC can lead to mail loss, potentially upwards of 20% for some senders, depending on infrastructure and recipient demographics. Before enforcing, monitor DMARC reporting with p=none to understand mail flows and ensure all are DKIM signed, which could take weeks to months depending on complexity. After deciding to enforce, continue monitoring reports. There are varying theories on how to implement enforcement, from immediate p=reject to gradual transitions.
What the documentation says4Technical articles
Documentation from dmarcian.com explains that transitioning from p=none to p=quarantine/reject should occur after thoroughly monitoring reports and ensuring legitimate email sources are properly authenticated. They advise starting with p=none to observe email traffic and identify authentication issues before enforcing stricter policies.
Documentation from Microsoft explains that you should transition from `p=none` to `p=quarantine` and eventually `p=reject` once you have validated that legitimate email sources are properly authenticating and that you understand the potential impact on email delivery. Microsoft says that monitoring the reports is key to a succesful implementation of DMARC.
Documentation from dmarc.org shares the recommendation is to monitor with p=none first and then transition to quarantine or reject policies once you have a thorough understanding of your email ecosystem and are confident in your authentication setup. This helps avoid disrupting legitimate email flow.
Documentation from Google Workspace Admin Help explains that transitioning from `p=none` to a stricter policy like `p=quarantine` or `p=reject` is recommended once you have gained enough visibility into your email traffic and ensured that all legitimate email sources are properly authenticated. This approach helps prevent false positives and ensures legitimate emails are not blocked or marked as spam.