Policy Modes: Quarantine vs Reject?

Domain owners can publish policies that will be applied to email that is not compliant with DMARC:

  • none – which means “take no action, just collect data and send me reports”,
  • quarantine – which means “treat with suspicion”, and
  • reject – which mean “block outright”.

DMARC deployers often ask us: “what’s the difference between quarantine and reject, and what will happen when I publish these policies?” Understanding what happens when quarantine or reject is published is pretty important!

Quarantine

Quarantine instructs email receivers to treat email that fails the DMARC check with increased scrutiny. Email is still accepted and it is up to the individual receiver to implement what quarantine means. Possible implementations:

  • deliver to spam-folder: if an email receiver hosts the recipient’s mailbox, then the receiver might be able to deliver non-compliant email into the recipient’s spam folder.
  • quarantine: an email receiver may choose to temporarily quarantine non-compliant email so that additional analysis of the email can be performed. An operator may then release email from the quarantine after review.
  • increase aggressiveness of anti-spam filtering: Anti-spam filtering is a trade-off between identifying as much spam as possible versus accidentally identifying wanted email as spam. When a decision is made regarding if an email is spam, email that falls under a quarantine policy may be more likely to be judged as spam.

The important thing to know about publishing a quarantine policy is that non-compliant email is still delivered. The email may or may not arrive at its final destination (due to existing non-DMARC technology designed to block unwanted email), but email will continue to flow out of email servers.

The impact of a quarantine policy on non-compliant legitimate email will therefore not be immediately obvious to the sources of such email. The source of legitimate-but-non-compliant email will see a decrease in the performance of their email communications. Due to the variance in how quarantine is implemented, the source’s email will be spam-foldered, delayed, and possibly discarded by email receivers. Unless the source of affected email is paying close attention to its own performance, the impact of quarantine may go unnoticed for a long period of time!

Reject

Reject instructs email receivers to refuse to accept email that fails the DMARC check. There are two known implementations:

  • Refuse to accept non-compliant email at SMTP time. This is the preferred and most widely adopted implementation as it prevents non-compliant email from leaving the sender’s server, which makes it possible for senders to immediately know why non-compliant email isn’t getting through.
  • Initially accept email via SMTP and then prevent the final delivery of the non-compliant email. This implementation is less optimal in that responsibility for delivery of an email has been assumed via SMTP, and yet the email is eventually not delivered. When delivery fails, one of two things can happen:
    • a Delivery Status Notification (aka a “bounce” message) is generated, or
    • the non-compliant email is silently dropped.

By default, email that falls under a reject policy is not delivered. This behavior is a great control against the sending of unauthorized email.

The impact of a reject policy on legitimate-but-non-compliant email will therefore be immediately obvious – email will stop flowing. When moving to a reject policy, a domain owner should be ready to deal with legitimate sources of email that might run into reject-based policies, as the source of email will surely require assistance in becoming compliant with DMARC.

Minimizing Policy Impact

DMARC is designed to provide domain owners with visibility (via feedback reports) into how domains are performing. Domain owners are supposed to use this visibility to get their legitimate sources of email into compliance with DMARC before deploying either quarantine or reject . When deployed correctly, the impact of quarantine or reject policies on legitimate email is minimal.

A Note on Forwarding

Even when domain owners goes through the proper steps to deploy DMARC and all legitimate sources of email are sending DMARC-compliant email, forwarding of email does happen on the Internet. When forwarding happens, email may flow to receivers through routes that break DMARC’s ability to determine if email is authorized. That is, even though the domain owner is doing everything right, some legitimate email may still be affected by quarantine or reject policies. The visibility that DMARC provides to domain owners can describe the extent of this impact (it varies by domain according to where email is being sent), and should be incorporated to any decision to move to either quarantine or reject .