DMARC Policy Modes: Quarantine vs Reject
Published in the DNS, a DMARC policy allows a domain owner to indicate that their email messages are protected by SPF and/or DKIM and is used to determine what is done to non-compliant email:
- p=none is used to collect feedback and gain visibility into email streams without impacting existing flows. It’s a crucial first step.
- p=quarantine allows email receivers to treat email that fails the DMARC check as suspicious and files them in a SPAM folder.
- p=reject requests that email receivers reject email that fails the DMARC check.
People often ask us, “What’s the difference between the DMARC policies quarantine and reject, and what will happen when I publish these policies?”
Understanding what happens when a DMARC quarantine or reject policy is published is pretty important, so we’ve assembled some knowledge to help clarify the differences between them.
A DMARC policy set to p=quarantine instructs email receivers to treat email that fails the DMARC check with increased scrutiny. Email is still accepted and it is up to the individual receiver to implement what quarantine means. Possible implementations include the following:
- Deliver to spam folder: if an email receiver hosts the recipient’s mailbox, then the receiver might be able to deliver non-compliant email into the recipient’s spam folder.
- Temporary quarantine: an email receiver may choose to temporarily quarantine non-compliant email so that additional analysis of the email can be performed. An operator may then release email from quarantine after review.
- Increase aggressiveness of anti-spam filtering: Anti-spam filtering is a trade-off between identifying as much spam as possible versus accidentally identifying wanted email as spam. Email that falls under a DMARC policy set to quarantine is more likely judged as spam.
The important thing to know about publishing a quarantine policy is that non-compliant email is still delivered. Because of non-DMARC technology that may be present to block spam, the email may or may not arrive at its final destination, but email will continue to flow from email servers.
The impact of a quarantine policy on non-compliant legitimate email will therefore not be immediately obvious to the sources of such email. The source of legitimate-but-non-compliant email will see a decrease in the performance of their email communications. Because of the different ways the DMARC quarantine policy is implemented, the source’s email will be spam-foldered, delayed, and possibly discarded by email receivers. Unless the source of affected email is paying close attention to its own performance, the impact of quarantine may go unnoticed for a long period of time.
A DMARC policy set to p=reject instructs email receivers to refuse to accept email that fails the DMARC check. There are two known implementations:
- Refuse to accept non-compliant email at SMTP time. This is the preferred and most widely adopted implementation because delivery to DMARC verifying receivers is prevented. Senders will immediately be informed why non-compliant email isn’t getting through.
- Initially accept email via SMTP and then prevent the final delivery of the email that fails DMARC. This implementation is less optimal in that responsibility for delivery of an email has been assumed via SMTP, and yet the email is eventually not delivered. When delivery fails, one of two things can happen:
- a Delivery Status Notification (aka a “bounce” message) is generated, or
- the non-compliant email is silently dropped.
By default, email that falls under a DMARC reject policy is not delivered. This behavior is a great control against the sending of unauthorized email.
The impact of a reject policy on legitimate-but-non-compliant email will therefore be immediately obvious – email will stop flowing. When moving to a reject policy, a domain owner should be ready to deal with legitimate sources of email that might run into reject-based policies, as the source of email will surely require assistance in becoming compliant with DMARC.
Minimizing Policy Impact
DMARC is designed to provide domain owners with visibility via feedback reports into how domains are performing. Domain owners are supposed to use this visibility to get their legitimate sources of email into compliance with DMARC before deploying either the DMARC quarantine or reject policy. When deployed correctly, the impact of quarantine or reject policies on legitimate email is minimal.
A Note on Forwarding
Even when domain owners go through the proper steps to deploy DMARC and all legitimate sources of email are sending DMARC-compliant email, the forwarding of email can present challenges. When forwarding happens, email may flow to receivers through routes that break DMARC’s ability to determine if email is authorized. Even though the domain owner is doing everything right, some legitimate email may still be affected by quarantine or reject DMARC policies. The visibility that DMARC provides to domain owners can describe the extent of this impact (it varies by domain according to where email is being sent), and should be incorporated to any decision to move to either quarantine or reject policies.
We’re Here to Help
With a team of email security experts and a mission of making email and the internet more trustworthy through domain security, dmarcian is here to help assess an organization’s domain catalog and implement and manage DMARC for the long haul.
Want to continue the conversation? Head over to the dmarcian Forum.