Configuring DMARC p=quarantine: A Technical Step-by-Step Guide to Secure Your Domain and Improve Deliverability

Configuring DMARC p=quarantine: A Technical Step-by-Step Guide to Secure Your Domain and Improve Deliverability

Introduction to DMARC and the p=quarantine Policy

DMARC (Domain-based Message Authentication, Reporting, and Conformance), defined in RFC 7489, is an email authentication protocol. It builds upon SPF and DKIM to provide domain owners with the ability to protect their domain from unauthorized use. DMARC enables senders to specify how receiving mail servers should handle unauthenticated emails originating from their domain. It also provides a mechanism for receiving servers to report back to the domain owner about authentication results.

DMARC policies dictate the action receiving mail servers should take when an email fails DMARC authentication. The three primary policies are:

  • p=none: Monitor mode. Receiving servers take no action on failed messages but send reports. This is the initial deployment phase.
  • p=quarantine: Receiving servers should treat failed messages as suspicious. They are typically placed in the recipient's spam folder or flagged for further review.
  • p=reject: Receiving servers should outright reject messages that fail DMARC authentication. This is the strongest enforcement policy.

Implementing p=quarantine is a critical step towards full domain protection. It allows domain owners to mitigate spoofing and phishing attempts without immediately blocking legitimate, but misconfigured, email streams. This policy provides a balance between security enforcement and minimizing potential deliverability disruptions.

Prerequisites for DMARC p=quarantine Implementation

Before deploying a p=quarantine policy, proper configuration of SPF and DKIM is mandatory. DMARC relies on these underlying authentication mechanisms and their alignment with the sending domain.

SPF (Sender Policy Framework)
SPF, specified in RFC 7208, allows domain owners to publish a list of authorized sending IP addresses in their DNS. Receiving mail servers check the SPF record to verify if an incoming email originated from an authorized server.
An SPF record is a TXT record at the root of your domain.
Example: yourdomain.com. IN TXT "v=spf1 include:_spf.google.com include:mailgun.org -all"
The -all mechanism specifies a hard fail for unauthorized senders. Ensure all legitimate sending sources are included. You can use our SPF checker to validate your SPF record.

DKIM (DomainKeys Identified Mail)
DKIM, defined in RFC 6376, adds a cryptographic signature to email headers. This signature verifies the sender's identity and ensures the email content has not been tampered with in transit.
DKIM records are TXT records published under a specific selector subdomain.
Example: s1._domainkey.yourdomain.com. IN TXT "v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC..."
Each sending service typically provides a unique DKIM selector and public key. Ensure all legitimate email streams are signed with DKIM.

DMARC Alignment
DMARC requires either SPF or DKIM to "align" with the "From" header domain.

  • SPF Alignment: The domain used in the SPF check (the "Return-Path" or "Mail From" domain) must match or be a subdomain of the "From" header domain.
  • DKIM Alignment: The domain used in the DKIM signature (the "d=" tag) must match or be a subdomain of the "From" header domain.
    Alignment can be relaxed (adkim=r, aspf=r), allowing subdomains to pass, or strict (adkim=s, aspf=s), requiring an exact domain match. Most implementations use relaxed alignment.

Step-by-Step Configuration of DMARC p=quarantine

Transitioning to p=quarantine requires a methodical approach. Do not deploy p=quarantine or p=reject without prior monitoring.

Step 1: Deploy DMARC with p=none
If you have not already, start with a DMARC record set to p=none. This policy instructs receiving servers to monitor and report authentication failures without affecting email delivery. This phase is crucial for identifying all legitimate sending sources and ensuring their SPF and DKIM configurations are correct.
Publish a TXT record at _dmarc.yourdomain.com:
_dmarc.yourdomain.com. IN TXT "v=DMARC1; p=none; rua=mailto:[email protected]; ruf=mailto:[email protected]; aspf=r; adkim=r;"

  • v=DMARC1: Specifies the DMARC protocol version.
  • p=none: The policy for unauthenticated mail.
  • rua: Email address for aggregate reports. Use an address that can receive a high volume of XML reports.
  • ruf: Email address for forensic (failure) reports. These reports contain more detail about individual failures.
  • aspf=r: Relaxed SPF alignment.
  • adkim=r: Relaxed DKIM alignment.

Step 2: Analyze DMARC Reports
Regularly review the aggregate (rua) and forensic (ruf) reports. These reports provide insights into which IP addresses are sending mail on behalf of your domain, their authentication status (SPF/DKIM pass/fail), and DMARC alignment results.

  • Identify legitimate sending services that are failing SPF or DKIM.
  • Correct SPF records to include all authorized IPs.
  • Ensure DKIM signatures are correctly applied by all senders.
  • Address any alignment issues.
    This iterative process ensures all legitimate email flows authenticate and align correctly before moving to enforcement.

Step 3: Implement p=quarantine
Once DMARC reports show a high percentage of legitimate emails passing authentication and alignment, you can transition to p=quarantine. It is recommended to use the pct (percentage) tag for a gradual rollout. This allows you to apply the quarantine policy to a subset of emails first.
Modify your DMARC record:
_dmarc.yourdomain.com. IN TXT "v=DMARC1; p=quarantine; pct=25; rua=mailto:[email protected]; aspf=r; adkim=r;"

  • p=quarantine: Instructs receiving servers to quarantine unauthenticated mail.
  • pct=25: Applies the policy to 25% of unauthenticated messages. Gradually increase this percentage (e.g., 50%, 75%, 100%) as you confirm no false positives occur.
    Continue monitoring DMARC reports closely during this phase. Watch for any unexpected drops in deliverability or reports of legitimate emails being flagged as spam.

Step 4: Continuous Monitoring and Refinement
DMARC configuration is not a one-time task. New sending services, changes to existing ones, or evolving threat landscapes require ongoing attention.

  • Regularly review DMARC reports.
  • Adjust SPF and DKIM records as your email infrastructure evolves.
  • Consider moving to p=reject once p=quarantine is at pct=100 and stable.
  • Regularly check domain reputation to ensure your efforts are positively impacting sender scores.

Benefits and Considerations

Implementing DMARC with p=quarantine offers significant advantages for domain security and email deliverability.

Benefits:

  • Enhanced Security: Protects your domain from phishing, spoofing, and Business Email Compromise (BEC) attacks. This prevents bad actors from impersonating your organization.
  • Improved Deliverability: Emails from DMARC-protected domains are more trusted by receiving mail servers. This reduces the likelihood of legitimate emails being marked as spam or rejected.
  • Brand Protection: Prevents unauthorized use of your brand in email communications, safeguarding your reputation and customer trust.
  • Visibility and Control: DMARC reports provide unparalleled visibility into who is sending email using your domain, allowing you to identify and address unauthorized activity.

Considerations:

  • Third-Party Senders: A common challenge involves third-party services (e.g., marketing platforms, CRMs, transactional email providers) that send email on your behalf. Ensure these services are configured to authenticate and align with your domain via SPF and DKIM. Failure to do so will cause their emails to be quarantined under a p=quarantine policy.
  • Subdomains: DMARC policy applies to the organizational domain by default. If you have subdomains that send email, ensure their authentication is also correctly configured. The sp tag in your DMARC record can define a separate policy for subdomains.
  • Reporting Tools: Manually parsing DMARC XML reports can be complex. Utilizing a DMARC reporting service simplifies report aggregation, analysis, and visualization, making the monitoring process more efficient.

Improve Your Email Deliverability Instantly

Before you hit send on your next outbound campaign, scan your copy for spam triggers, verify your domain SPF/DKIM records, and test your SMTP inbox placement for free.

Explore 18+ Free Email Tools