Email Security Blog

DMARC Quarantine vs. DMARC Reject: Which Should You Implement?

Fareed Bukhari August 8, 2019 DMARC

You did it! You implemented DMARC and authenticated your email domains. This is no easy feat in itself and now, after DNS requests, third-party conference calls, and writing internal policies, you are ready… It’s time for a stricter DMARC policy.

If your DMARC policy has been set to p=none for months, you’ve likely had the chance to review who is sending email under your brand name and determine which of those are legitimate—and which are not. This is an important step in any DMARC implementation and is necessary in order to make sure that legitimate senders are not blocked from delivering email once the policy becomes more strict. Without spending some time reviewing those senders, a stricter DMARC policy could result in legitimate emails from third-party senders like Marketo, Salesforce, and Mailchimp from being delivered to your customers, partners, and employees.

Unfortunately, while you’re living in the world of p=none, spammers and cybercriminals can still take advantage of your domain. Only by implementing a stricter policy will you be able to block them at the door and let the world know that you truly care about your consumers and your brand.

The question thus becomes, which policy will you choose? Do you go immediately to p=reject, or do you dabble with p=quarantine? Which is truly the better option for your organization?

Before making your decision whether to implement DMARC Reject or DMARC Quarantine, you should understand what happens when you implement either policy.

Implementing a p=quarantine DMARC Policy

Quarantine lets the participating email receivers know that you would like them to treat email that fails the DMARC authentication check with extra caution. The email will still be accepted by the receiver, but the receiver will decide how they want to implement the quarantine policy.

  • Quarantine: If the email receiver has a quarantine mailbox, this is where the message will be delivered. It will then be up to the administrator of the mailbox to decide if the email gets delivered or thrown away.
  • Deliver to spam: If the email receiver hosts the recipient’s mailbox, then the receiver may have the option to deliver non-compliant email into the recipient’s spam folder. The receiver would then have the option to determine if he or she would like to move it to the inbox.
  • Aggressive anti-spam filtering: Most receivers will see quarantined messages as something that is spam-like and could add additional scoring to the message itself. This additional step would allow the receiver to block the message due to its high spam scoring.

Some think quarantine is a great testing option, as it allows companies to start flexing their DMARC muscles slowly until they feel 100% confident that the right emails are passing and the wrong emails are failing. However, if DMARC is still not completely configured and you have legitimate email being quarantined or marked as spam, receivers will begin to associate the domain with the junk emails—ultimately hurting your brand. In this respect, a quarantine policy should be something to take just as seriously as a reject policy.

Implementing a p=reject DMARC Policy

Setting a DMARC policy to p=reject will allow you to ensure that all malicious email is stopped. As an added bonus, the recipient of the intended malicious email will never become aware of the email in the first place, as it will never get sent to a spam or quarantine folder. Since it is completely blocked, emails are never delivered and end-users cannot be tricked into clicking on a malicious link or opening a dangerous attachment.

The one downfall to this is if legitimate emails are failing authentication and the email gets rejected, the receiver will never know they were receiving the intended email. For those organizations not actively using a reporting system to monitor authentication, it could take months to find out that legitimate email is not being delivered, potentially hurting marketing programs or other opportunities to engage with prospects, customers, and partners.

So Which Should You Choose?

At the end of the day, which policy you choose is ultimately the decision of your organization as you decide which policy best suits your needs. Here at Agari, we recommend that all customers implement a p=reject policy to ensure complete protection for the recipients of your emails. That said, you have the opportunity to decide which policy best suits your needs—either is a much more secure option than p=none or no DMARC policy at all.

Learn more about DMARC with our Getting Started with DMARC Guide or create your record with our free DMARC tool

Agari Blog Image

May 11, 2021 John Wilson

Office 365 + DMARC: Best Practices for Protecting Your Company & Customers From Phishing Attacks

Gartner includes DMARC, or known by its full name as Domain-based Message Authentication, Reporting &…

Agari Blog Image

May 5, 2021 Michael Paiko

5.8B Malicious Emails Spoofed Domains; 76% of Fortune 500 Still at Risk: DMARC Results from Agari

Global adoption of Domain-based Messaging, Reporting & Conformance (DMARC) topped 10.7 million email domains worldwide…

Agari Blog Image

April 27, 2021 Michael Paiko

What Is SPF and How Does It Work?

We're going to delve into what SPF for email is, how to implement it, the…

Agari Blog Image

April 20, 2021 Autumn Tyr-Salvia

What is DMARC? Effects on Email Spoofing & Deliverability

Wondering how DMARC affects email? Here’s a comprehensive guide explaining what DMARC is, how it…

Agari Blog Image

February 11, 2021 Crane Hassold

Cosmic Lynx Returns in 2021 with Updated Tricks

In July 2020, we published a report on a Russian-based BEC group we called Cosmic…

mobile image