BLOG ARTICLE

  • 8 minutes read

Understanding DMARC policies - p=none, p=quarantine, p=reject

Implementing the right DMARC policy is critical to your organization’s email security, brand protection, and email deliverability. But what exactly is a DMARC policy, and how do you select the right one for your business?

A workflow representing DMARC policies

Domain-based Message Authentication, Reporting, and Conformance (DMARC) is a global email authentication standard that has the power to protect your business’s email domain from being used for spoofing, phishing, impersonation, and other cyberattacks. 

What does a DMARC policy do?

Having a DMARC policy in place shows that your domain’s emails are protected by the Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM) email authentication protocols. SPF verifies that emails come from authorized sources, while DKIM checks an email’s integrity, ensuring that the email headers and body weren’t tampered with during transit.

 

Stored as a DMARC record in your Domain Name System (DNS), your DMARC policy lets you, as the domain owner or Managed Service Provider (MSP), tell receiving servers how to handle emails that fail SPF and DKIM authentication. Options for handling these emails include accepting them (in which case no action is taken), quarantining them, or outright rejecting them.

What types of DMARC policies are there?

There are three DMARC policies to choose from:

p=none – Monitoring only 

The monitoring policy allows you to keep an eye on email traffic and get reports on email sources, providing visibility of how emails are handled without taking any action on emails that fail authentication. This policy is typically used when setting up DMARC to make sure it’s configured correctly before moving to a stricter policy. It won’t affect your email deliverability.

p=quarantine – Quarantines suspicious emails

In addition to sending reports, a quarantine policy tells receiving servers to quarantine emails failing DMARC checks by moving them to the Spam or Junk folder instead of the inbox. This means that while these emails are still delivered, they’re quarantined for further investigation before they make it to the main inbox.

p=reject – Rejects emails that fail authentication

The reject policy is the strictest DMARC policy. On top of sending reports, it guarantees complete protection against fraudulent communications for internal and external recipients of your business’s emails. A reject policy instructs recipient servers to straight-up reject any emails that fail DMARC checks. This means those emails never reach the inbox.

The power of a strong DMARC policy

Over 94% of businesses reported email security incidents in 2023, with email-based cyberthreats continuing to advance in numbers and sophistication. These trends make it clear that your organization must adopt security best practices like DMARC – with a strong policy – to safeguard stakeholders and ensure business continuity.

 

It’s concerning that even though the risks of not having protection in place are clear, less than 6 million DMARC records* existed globally as of 2022, and only 19.6%* of worldwide email domains with published DMARC policies are fully protected with p=reject.

 

Without a quarantine or reject policy, DMARC isn’t protective. It can’t tell receiving servers what to do with unauthenticated emails. Setting a strong DMARC policy reduces the risk of your business’s domain being used for fraudulent activities and shields your organization against the damages of a successful cyberattack.

 

Having a strict DMARC policy will also save your employees the time and worry of having to identify suspicious emails themselves. A phishing test carried out at worldwide organizations in October 2023 revealed that about 10% of employees clicked on suspicious links, and of those who clicked, over 62% submitted their passwords. While this click rate may seem low, it takes just one click to cause possibly irreparable business damage.

 

As we’ve highlighted above, a p=none or monitoring policy is not enough to shield your business from email-based cyberattacks. It’s like leaving the toll gate open for all email traffic – including malicious ones – to pass through as usual while you watch from the side of the road.

 

Read on to find out why p=reject should be the ultimate goal of your DMARC implementation.

*These statistics come from a specific dataset that examines only domains that use DMARC and doesn’t cover all email domains globally. This dataset’s trends are believed to represent internet-wide trends – and so provide valuable insight.

DMARC Policy Blog Inline Image 2 | Sendmarc | Dmarc Protection and Security

Why a reject DMARC policy should always be the end goal

Beginning with a none policy to monitor your email traffic is a great first step, and moving to a quarantine policy helps reduce risks by flagging suspicious emails, which can prevent successful cyberattacks. But for the highest defense against email fraud, organizations should ultimately aim to implement a reject policy.

 

Some may hesitate to implement a reject policy because they believe it will negatively impact their email deliverability, but this won’t be the case if DMARC is configured correctly.

 

Jumping straight to a reject policy isn’t the best first move, and you shouldn’t adopt a reject policy as a knee-jerk reaction to a cyberattack. A p=reject implementation needs to follow a gradual process to be effective.

 

There’s light at the end of the tunnel though, because by choosing the right DMARC partner, you can get your business’s domain to a reject policy as fast and simply as possible.

Adopting a p=reject DMARC policy provides several key business benefits:

  • Enhances email security by significantly reducing the risk of your domain being used in email-based cyberattacks.
  • Protects brand reputation by preventing the sending of fraudulent emails to your stakeholders and establishing your business as a trusted sender.
  • Improves email deliverability by signaling to Internet Service Providers (ISPs) and receiving servers that your domain is secure, boosting its reputation, and increasing the chances of emails reaching recipients’ inboxes.
  • Boosts compliance with industry recommendations and rules like the Payment Card Industry Data Security Standard (PCI DSS), Google and Yahoo sender rules, General Data Protection Regulation (GDPR), Health Insurance Portability and Accountability Act (HIPAA), and more.

How setting up a DMARC policy works

Some businesses go for a manual DMARC setup and implementation because they think it will save them time and money, when, in fact, the opposite is true.

 

Manually setting up your own DMARC policy is a tricky and risky business. The configuration process is complex, resource intensive, requires technical expertise, and if DMARC is misconfigured, there’s potential for email disruption. For example, incorrect configuration and misidentification of sending sources could lead to unintentionally blocked legitimate emails or the delivery of fraudulent ones.

 

Time to policy enforcement with a manual setup and implementation is also lengthy, usually taking over a year to complete. With the growing number of regulatory, enterprise, and government recommendations and rules for DMARC implementation, can your business afford the cost and time a manual implementation takes?

 

It’s also important to note that DMARC requires continuous monitoring and maintenance to adapt to changing email sources, address evolving threats to your business, and ensure that email authentication remains accurate and effective.

 

For these reasons, you may want to leverage a DMARC expert for your implementation and management. This option is more efficient in terms of time, resources, and cost, as well as ensuring that your implementation is fast, successful, and error-free.

There are three steps involved in DMARC implementation:

Step 1: p=none

Starting with a p=none policy allows you to monitor who is sending emails from your domain, giving you visibility of potential threats you need to protect against, as well as legitimate email sources that shouldn’t be rejected during authentication.

Step 2: p=quarantine

After your legitimate email sources are configured, it’s time to set your policy to p=quarantine. As mentioned earlier, with a quarantine policy, emails failing SPF and DKIM checks are placed in a quarantine folder for closer inspection before being delivered to an inbox.

 

This stage is all about making sure that every legitimate sending source, service, or platform is correctly configured. It’s also important to use this time to inform your stakeholders of the planned p=reject changes to ensure email systems are compliant and minimize disruptions to communication.

Step 3: p=reject

Now that you’ve made sure all legitimate sources are correctly configured, you can set your DMARC policy to reject. With this policy enforced, any emails that don’t align with your SPF and DKIM policies will be rejected by the receiving server.

Fast & simple DMARC implementation with Sendmarc

Sendmarc provides the world’s best DMARC solution by combining leading software, tools, and implementation, as well as hands-on training and enablement processes. Our promise is to get your domain to p=reject within 90 days* maximum.

 

We help you protect your business against phishing, spoofing, and impersonation with automated and powerful DMARC, DKIM, and SPF control. Our DMARC platform empowers you to manage any number of domains and safeguard them against misuse and the sending of fraudulent emails.

Maximize deliverability

Protect your brand

Domain to p=reject in 90 days max*

Build customer trust

Consolidated & clear reports

Contact our team of experts or book a demo to start your journey to full DMARC protection today.

*For customers on Sendmarc’s Premium Plan. Subject to the conditions of our Fair Usage Policy.  

Get in touch

Share

LATEST ARTICLES

All articles
SSO Integration Blog Card Image | Sendmarc | Dmarc Protection and Security
  • 12 minutes read

Why SSO Is Essential for the Modern Business

Explore Single Sign-On (SSO) features, benefits, and integration options, and learn how it strengthens your business’s cybersecurity.
Read more
A cybercriminal uses a laptop and targets holiday shoppers. A shopping cart is displayed above, a warning of the threat.
  • 12 minutes read

Protect Against Holiday Cybersecurity Threats

In our latest article, you’ll discover how to safeguard your business against the rise in holiday season cybersecurity threats.
Read more
Close up of a laptop keyboard and lower screen with illuminated red envelopes and code popping off the screen
  • 16 minutes read

Assess your business’s email risks this Cybersecurity Awareness Month

Explore top threats to your business and how to defend them in Cybersecurity Awareness Month. Read our latest article and get the free Cyberthreat Report.
Read more
Sendmarc logo in white on a transparent background
certification badge for ISO/IEC 27001:2022

How secure is your brand name from email scammers?

If you’re at risk of impersonation, one of our experts will be in touch to assist.

Linkedin-in Youtube X-twitter Facebook-f

Platform & Services

Company

Platform & Services

Resources