Email Security Blog

Pros & Cons of DMARC Quarantine vs. Reject

Danielle Tristao June 27, 2016 DMARC
Fallback Featured Image

You did it! You authenticated your email domains. After DNS requests, third party conference calls, and writing internal policies, you are ready. It’s time for a stricter DMARC policy.

You have been living in the world of “p=none” and you are now ready to join the fight against spammers by implementing a policy that lets the world know you care about your consumers and your brand. But what policy are you going to choose? Do you go full on “p=reject”? Or do you dabble with “p=quarantine”?

Before making your decision whether to implement DMARC Reject or DMARC Quarantine, you should understand what happens when you implement either policy.

Quarantine Policy:

Quarantine lets the participating email receivers know that you would like them to treat email that fails the DMARC check with extra caution. The email will still be accepted by the receiver, but the receiver will decide how they want to implement the quarantine policy.

  • Quarantine: If the email receiver has a quarantine mailbox, this is where the message will be delivered. It will then be up to the admin of the mailbox to decide if the email gets delivered or thrown away.
  • Deliver to spam-folder: If the email receiver hosts the recipient’s mailbox, then the receiver may have the option to deliver non-compliant email into the recipient’s spam-folder.
  • Aggressive anti-spam filtering: Most receivers will see quarantined messages as something that is spam like and could add additional scoring to the message itself. This, in turn, would allow the receiver to block the message due to high spam scoring.

Some think quarantine is a great testing option. They can start flexing their DMARC muscles slowly until they feel 100% confident that the right emails are passing and the wrong emails are failing. However, if you are still not completely configured and you have legitimate email being quarantined and marked as “Spam”, your receiver will begin to associate your domain with the word “Junk”, “Spam”, “Quarantined”. In this respect quarantine should be something you take just as seriously as a reject policy.

Reject Policy:

Setting to reject will allow you to ensure that the bad email is stopped and the recipient of the intended malicious email was never aware of the email in the first place. It does not get seen in their Junk/Quarantine folders. There is nothing to open or move or click on.

However, if legitimate emails are failing authentication and the email gets rejected, then the receiver will never know they were receiving the intended email. It is blocked before they even see it. This could mean that if you are not actively using a monitoring/reporting system to keep alerts/reports on your authentication practices, it could be awhile until you find out that your legitimate mail has not been sent.

At the end of the day, it is your decision. You decide what policy better suits your needs. For additional information on implementing stricter DMARC policies, please do not hesitate to reach out to Agari’s Customer Success team.

For more on DMARC visit Agari’s DMARC Resource.

Leave a Reply

Your email will not be published. All fields are required.

Agari Blog Image

April 17, 2019 Fareed Bukhari

The Time is Now: Underscoring the Importance of DMARC for State and Local Governments

Scammers know that impersonating a trusted government agency is an extremely effective way to trick…

Agari Blog Image

February 26, 2019 Armen Najarian

Retail Trails Other Sectors in Adopting DMARC for Phishing Prevention

Recent research by the Agari Cyber Intelligence Division finds that the retail industry is dead…

Person Looking at DMARC Protected Email

February 19, 2019 Fareed Bukhari

DMARC Adoption Up, But 85% of Fortune 500 Remains Vulnerable to Brand Hijacking

Adoption of Domain-based Message Authentication, Reporting, and Conformance (DMARC) has seen modest growth in recent…

Agari Blog Image

October 16, 2018 Fareed Bukhari

One Year Later: Federal Mandate for Email Authentication Huge Success

Responding to BOD 18-01, agencies rally to complete the fastest sector-wide adoption of DMARC One…

Agari Blog Image

October 16, 2018 Patrick Peterson

DMARC: A 12-Month Triumph for DHS—and the Nation

Today is the deadline set by the Department of Homeland Security for all executive branch…

mobile image