DMARC Policy Quarantine vs. Reject

Now that we’ve set up SPF, DKIM, and DMARC for our domain, let’s review what DMARC does and, then we’ll discuss how we want to manage our DMARC Policy.

What does DMARC do?  It does a few things:

  • It factors in the results of SPF and DKIM
  • It requires the domain used by either SPF or DKIM to also be the domain found in the From address
  • It reports the SPF, DKIM, and DMARC results to the domain of the sender
  • It tells receiving email servers how to treat any email that fails DMARC validation

The DMARC Policy

Now that we know what DMARC does, we need to choose a policy to define how we want receiving email servers to handle messages that fail DMARC validation. There are three policy levels we can choose from.

Monitor: p=none

This policy tells the receiving email server that you don’t want them to do anything with an email that fails DMARC. It will be delivered to the inbox.

Quarantine: p=quarantine

This policy tells the receiving email server that email that fails the DMARC authentication check with a little extra caution and deliver to a quarantine folder.

Reject: p=reject

This policy tells the receiving email server that an email that fails the DMARC authentication check should be rejected. These emails will bounce outright.

Choosing the right policy.

Setting your policy initially to “p=none” is often the best first choice. This policy allows you to monitor the traffic on your domain and decide how aggressive you want to be, based on real-world data from your domain’s users’ sending patterns. With the domain in the example from our first article, we were already aware of how the domain would be used and felt safe to implement the initial policy of “p=quarantine.”  We can recheck with our dig command:

What does this really mean and how is it different from the policy of “p=reject?”  Let’s take a look.

Quarantine

A quarantine policy lets other servers that are receiving emails know that we want the receiving email systems to accept the message. However, extra care should be taken for any email that fails DMARC validation. What happens when the email is received? We leave this choice up to the receiving email system’s administrator. There are a few common options:

Quarantine —  Some receiving email servers have a quarantine mailbox set up expressly for this. If this is the case, mail will be delivered here, and the administrator will need to decide to keep the message or not.

Deliver to spam Some receiving email servers have it set up to accept the message for mailboxes they host and deliver them to the user’s SPAM or JUNK folders. This puts the onus on the recipient. They can choose whether or not to keep the email. Some receiving email systems will take this another step and weight the message further to make sure it is seen as spam and possibly reject it outright.

Reject

The reject policy is the most strict of the three options available. It lets the receiving email server know to reject the email outright if it fails the DMARC auth check. While this does mean the maximum protection for your domain, it does come with a risk. This policy would cause any legitimate email falsely matched to bounce, never reaching the intended recipient.

Summary

Choosing the correct DMARC Policy will depend entirely on your organization and how accounts you own send mail. Some organizations will choose to go straight to a “p=reject” policy to ensure the absolute most protection available. For months, others will maintain a “p=none” policy to ensure that legitimate emails aren’t failing authentication. In the example above, we chose a middle ground. Ultimately the choice is yours as an email administrator to make. Please let us know if you would like assistance with this choice or setting up your DMARC policy in the atmail cloud.

Do you have a specific need for your organization’s DMARC policy? Do you need advice or guidance on creating a DMARC policy? Our team of email security experts here at atmail are available to assist you with your DMARC policy needs and answer any questions you might have.

With 22 years of global email expertise, you can trust us to deliver an email hosting platform that is secure, stable, and scalable. We power more than 170 million mailboxes worldwide and offer modern, white-labeled, cloud-hosted email with your choice of US or (GDPR compliant) EU data centers. Talk to us today.

Share This Post
By September 8, 2021