• ProgIST CyberSec Division

DMARC Quarantine vs. DMARC Reject: Which should you implement?

Yay.! Finally, you successfully implemented DMARC and authenticated your email domains.

Now, the question arises: What do I do next? What is the next process? How can I stop bad guys from attacking my or spamming my domain? In this blog, we will guide you what should be the process you must be following for successful implementation of DMARC.


This is the first step to carry out after you set your DMARC policy to p=none, all you need to do is wait for few months, you will have the chance to review who is sending email under your brand name and analyze which of them are legitimate and which are not. This is an important step in any DMARC implementation and also necessary in order to make any decision. You don’t want your legitimate senders are blocked from delivering email and so after observing for few months it might be a time to make your policy strict.

Sadly, while the policy is on p=none, spammers and cyber-criminals can still take advantage of your domain. Only by implementing stricter policy, you can make sure that you are keeping bad guys against your organization, customers and employees.


The next step after waiting for few months is to change your policy to p=quarantine. Now what will happen? Will you be blocking bad guys now?

Quarantine lets the participating email receivers know that you would like them to treat email that fails the DMARC authentication check with extra caution. The email will still be accepted by the receiver, but the receiver will decide how they want to implement the quarantine policy; whether the receiver wants the email in the quarantine mailbox (if he has one), or it should be delivered into the recipient’s spam folder.

Some might think quarantine is a great testing option, as it allows companies to start flexing their DMARC muscles slowly until they feel 100% confident that the right emails are passing and the wrong emails are failing. However, if DMARC is still not completely configured and you have legitimate email being quarantined or marked as spam, receivers will begin to associate the domain with the junk emails — ultimately hurting your brand. In this respect, a quarantine policy should be something to take just as seriously as a reject policy.


Here comes the final step. Setting a DMARC policy to p=reject will allow you to ensure that all malicious email is stopped. And more importantly the recipient of the intended malicious email will never become aware of the email in the first place, as it will never get sent to a spam or quarantine folder. Since it is completely blocked, emails are never delivered and end-users will never see the malicious email in their email box and hence no chance of clicking on a malicious link or opening a dangerous attachment.

Unfortunately, the problem arises if legitimate emails are failing authentication and the email gets rejected, the receiver will never know they were receiving the intended email. For those organizations not actively using a reporting system to monitor authentication, it could be a huge task to find out that legitimate email is not being delivered, potentially hurting marketing programs or other opportunities to engage with customers and partners.


At the end of the day, which policy you choose is ultimately the decision of your organization as you decide which policy best suits your needs. There are many growing organizations implementing DMARC but the question is not whether you’re implementing DMARC or not but it is about are you implementing it correctly. To meet the end goal at the end of the day it is your organization your customers and your reputation.

  • LinkedIn
  • Twitter
  • Facebook

© 2020 by Progist.