Nearly 1.2% of all global emails are malicious, translating to 3.4 billion daily phishing emails. [1]

Cybercriminals do this by spoofing senders’ identities and tweaking details in the “from” field. Often, they lure potential victims to open emails from names they recognize, be it the name of a trusted brand, their CEO, or even a colleague.

That’s why DMARC implementation is necessary. It helps legitimate organizations/ senders like you from thwarting cyber attacks. If this topic or its effect on your email marketing campaign interests you, you’re in luck.

In this guide, we share about DMARC Quarantine as well as the email authentication standard itself called DMARC. If you already know about DMARC, skip to the DMARC Quarantine section.

Image depicting internet security

What Is DMARC?

Domain-Based Message Authentication, Reporting & Conformance (DMARC) was developed in 2012 to stop phishing emails and intended to function alongside SPF and DKIM email authentication protocols.

DMARC helps email receiver systems detect if an incoming email is not from an organization’s approved domains. It also signals the receiver systems what they should do with the unauthorized emails.

Why Do You Need DMARC?

DMARC is an integral part of a company’s email deliverability strategy and security because it:

  • Prevents users from falling prey to phishing scams, which could jeopardize their organization’s security.
  • Blocks spoofed emails that could damage the brand’s reputation with its clients.
  • Monitors emails using the domain to ensure they are validated with SPF and/or DKIM. Understand more about this topic in our guide: SPF, DKIM, DMARC explained [Infographic]

Before DMARC, Google and other inbox providers relied on user feedback and strict filters to identify spammers. However, these filters are so strict that they can also block legitimate email domains and senders.

That’s why DMARC is so important because it allows the sender domain to examine feedback loop reports and develop authentication protocols. These protocols instruct the receiving mail servers of IPs you own and reject incoming emails from fraudulent IPs trying to use your domain.

DMARC is not set for email security reasons only

While DMARC is necessary for email security (by preventing phishing attacks and email spoofing), DMARC is more than that.

It can also significantly improve legitimate email delivery. DMARC can boost a marketing campaign by improving brand trust.

Craft high-performing emails and improve their deliverability with InboxAlly. It’s a unique deliverability tool that teaches email providers to put your emails in inboxes right from the start.

Try it now for free.

image showing an email being picked out of many

How Does DMARC Work?

If there’s an incoming email, the receiving server performs a Domain Name System (DNS) lookup and determines an existing DMARC record. Understand that DMARC requires either a DKIM or an SPF record (better if both).

The receiving server then conducts a DMARC alignment test for verification that:

For DKIM – The value behind the “d” tag (or DKIM signature tag) matches the domain from which the email was sent.

Note: if you don’t include DKIM signature tags, your emails fail verification and get discarded.

For SPF – The “envelope from” address matches the “return-path address,” which contains the sender’s name and address and instructs the inbox service providers (ISPs) or mail servers the place to return messages in case they bounce.

This DMARC alignment test aims to ensure that the email address where the email came from is the same as where the potential reply will go.

If you want an in-depth guide on DMARC authentication, check out our article DMARC vs. DKIM – How Do They Differ and Which One Do You Need? It will provide you with background knowledge to help you better understand this ‘warning’ and how to fix it.

The Three DMARC Policy Options

These comprise the sequence in which DMARC is applied and how they vary in protection against unauthorized use of domains, spoofing, and phishing.

1. p=none

The first of three DMARC policies is “none.”

“None” is applied to gain complete visibility into how a domain is used without influencing or impacting how the email receivers treat the email. It’s likened to telling Yahoo or Gmail,

“Kindly treat my email as you normally would, and please send me DMARC reports to help me make an informed decision concerning my project.”

p=none is an excellent way to monitor for fraud, but it doesn’t help as much in preventing it from happening in the first place.

Pro Tip: Always start with the p=none policy, then move to p=quarantine or p=reject as you better understand your sending reputation.

Now, let’s finally learn about DMARC quarantine.

medical masks for quarantine purposes

2. p=quarantine

This second DMARC quarantine policy directs the receiver server to consider emails suspicious when they fail DMARC authentication. It should deliver those emails straight into the recipient’s spam folder or be discarded entirely.

3. p=reject

The DMARC reject policy takes things further by directing the recipient mail servers to reject emails sent from domains that fail the DKIM and SPF checks. It means that those email messages will not reach the inbox or even the spam folder of the recipient.

The most secure state of the DMARC deployment test is a p=reject policy at 100%. Such a level prevents unauthorized emails from being delivered from your domain.

More About the DMARC Quarantine (The Second Policy or The “Soft Fail”)

DMARC Quarantine is the second policy in a DMARC project, which is a significant milestone.

It offers partial protection against unauthorized use of the domain. It tells the email receiver to accept the email but downgrade its trustworthiness by placing it in the quarantine folder.

Unlike p=reject, a message rejection notice is not generated to the sender with p=quarantine.

DMARC Quarantine is considered a “soft fail” in the email security process. If you set it to 25%, then 25% of the unauthenticated emails will be sent to the recipient’s spam, while the other 75% will be delivered to inboxes (in the same manner as 100% of the authenticated emails).

Why Do Emails Get Quarantined?

They get quarantined as the system detects senders, patterns, or words that could be considered malware, phishing, spam, or cybersecurity attacks.

Red envelope on a laptop

Is DMARC Quarantine Better Than DMARC Reject?

Not necessarily.

Which policy is better ultimately depends on your organization’s needs. But if you prefer complete protection for your recipients’ emails, we recommend implementing the DMARC reject policy.

Nevertheless, DMARC quarantine (goes beyond p=none) is still better since emails are not outrightly rejected.

Even if the reject policy is the most secure of all policy options, when put in too quickly without testing the settings, ISPs may block your legitimate messages.

Pro Tip: Avoid jumping straight to reject in your DMARC implementation journey. If you do, you may prevent legitimate and authorized messages from landing in the recipient’s inboxes.

An Example of How DMARC Quarantine Works

Let’s say you send an email from the address You@example.com. 

To prevent email spoofing, you used DMARC and set the policy to p=none in your DNS record.

When you set that policy, you can monitor your email authentication via DMARC reports. Then, you can increase your email security to p=quarantine as you better understand and use SPF and DKIM policies.

With DMARC Quarantine, you tell ISPs to forward unauthenticated emails from your domain to the spam folder.

Escalating Your DMARC Policy: Moving From None To Quarantine

After configuring the legitimate email sources, you can escalate your DMARC policy from “none” to “quarantine.”

It’s a valuable option for businesses unsure if they’re ready to implement the DMARC policy. The Quarantine option allows them to test the accuracy of their existing email authentication policies.

What if Your Emails Land in Inboxes Just Fine?

It’s understandable to implement DMARC when your target recipients never see your emails in their inboxes. But what if your emails land in inboxes just fine?

Well, it is a requirement for bulk email marketers, particularly those sending mass emails to Yahoo and Gmail inboxes. These mail providers declared in October 2023 that they will put stricter standards on senders, and these standards have more robust authentications. They were referring to DMARC.

Second, it’s for security. Most network attacks are becoming more sophisticated and occur through email infrastructure. A phishing attack can severely damage your brand reputation, deliverability rates, and ISP reputation. DMARC prevents that from happening as it protects you and your sender’s identity.

InboxAlly features page

InboxAlly Is Here To Help

Email authentication has always been a top priority for InboxAlly. Everyone should send emails with the proper infrastructure, standards, and tools without paying enterprise costs.

DMARC is an integral part of our mission.

This is why we made sure our platform works with any email-sending service. It teaches email providers to land your messages in your target recipients’ inboxes from the start or keep them out of the spam and promotions folder for good. Here’s how we do it.

Moreover, we have designed our tool with versatility in mind to cater to the unique needs of different users, be it email marketing agencies, cold emailers, email list owners, affiliate marketers, or businesses new to mass email marketing. We even offer enterprise-level, customizable plans.

Implementing and advancing your domain’s DMARC policy is one of the best ways to protect your email account.

The DMARC Quarantine policy (p=quarantine) tells the receiving server to quarantine unqualified emails. Thus, these quarantined emails typically land in the spam folder.

DMARC Quarantine is also an incredibly useful tool to protect businesses against spoofing attacks without the risk of completely cutting off legitimate email communication.

InboxAlly automates your email deliverability to ensure your emails get high inbox placement rates every time. It is ideal for small to mid-sized enterprises.

Learn more about how InboxAlly increases open rates without the fear of landing in spam.

Reference:

[1] https://www.stationx.net/phishing-statistics/