Skip to content

Should your DMARC policy reject or quarantine?

Email is an essential communication tool for businesses, organizations, and individuals. Unfortunately, it is also a favoured vector for cybercriminals to conduct phishing attacks, spoofing, and other forms of email fraud. Domain-based Message Authentication, Reporting, and Conformance (DMARC) is a widely adopted email authentication protocol that allows domain owners to protect their email domains from unauthorized use.

DMARC provides three reporting options: none, quarantine, and reject. While all three options offer benefits, DMARC reject widely considered the most secure option. In this article, we will explore why DMARC reject is preferred over quarantine and the times when it may be preferable to use quarantine.

DMARC Quarantine and Reject: What’s the Difference?

DMARC Quarantine and Reject are two different methods of email handling. Quarantine is a DMARC policy that allows delivery of an email to the recipient’s spam folder instead of the inbox. It is a way for the domain owner to signal to the receiver that the email may be suspicious but not necessarily harmful.

On the other hand, Reject is a DMARC policy that blocks emails that fail the authentication checks from reaching the recipient’s inbox. It is the most secure option because it ensures that only legitimate emails get delivered to the recipient’s inbox.

Why DMARC=Reject is Preferred

DMARC Reject is the most secure DMARC policy because it provides a clear message to receivers that emails that fail DMARC checks are fraudulent and should be rejected. In addition, it prevents fraudulent emails from being delivered to recipients’ inboxes, which can help prevent damage from phishing attacks, impersonation, and other forms of email fraud.

When using DMARC Reject, the domain owner tells the receiving email server to reject any email failing DMARC authentication. This reject policy prevents email delivery to the recipient’s inbox. The sender then receives a notification that their email was not delivered.
DMARC Reject is the recommended option for domains serious about protecting their email reputation and recipients. By implementing a DMARC Reject policy, domain owners can prevent unauthorized use of their domain, preserve their reputation, and safeguard their recipients.
When to Use DMARC Quarantine

When should I use DMARC=Quarantine policy?

While DMARC Reject is the most secure option, there are times when it may be preferable to use DMARC Quarantine. For example, when a domain owner implements DMARC for the first time or gradually increases the level of DMARC enforcement.

Your cybersecurity team may decide to implement a DMARC Quarantine policy as an intermediate step toward implementing DMARC Reject.

It can also help identify emails incorrectly flagged by their DMARC policy and allow them to adjust accordingly. Using DMARC Quarantine, domain owners can gain insight into their email traffic and identify legitimate emails incorrectly flagged.

Conclusion


In summary, DMARC Reject is the most secure option for protecting email domains from unauthorized use. It provides the most explicit message to receivers that any email that fails DMARC checks should be rejected.

While DMARC Quarantine can be useful as an intermediate step towards implementing DMARC Reject, it is recommended that domain owners eventually move towards implementing a DMARC Reject policy to ensure the most secure email authentication.

For more information on how DMARC, DKIM and SPF work together check out our article Secrets behind DMARC, DKIM & SPF and how they support BIMI and what is MTA-STS for?