Within DMARC there is a quarantine policy tag p=quarantine which means emails are tagged as spam and then forwarded to the owner of that domain for review. This catches most of the spoofing domains ahead of time. This guide is designed to help you understand what DMARC Quarantine is and how DMARC works with the p=quarantine policy.
What is DMARC Quarantine?
DMARC Quarantine is one of the three DMARC policies (the other two being p=none and p=reject) that instructs the email receiving server to place all emails that fail DMARC authentication into the recipient’s spam/junk folder.
When you set a DMARC policy to p=quarantine, you’re telling email servers that if an email fails DMARC authentication, the server should quarantine that email. “Quarantining” an email means it will still be delivered to the recipient’s inbox, but it will be flagged as suspicious and sent to the recipient’s spam folder (or “junk mail”) instead of the inbox.
Here is how you can locate your spam folder on GMAIL.
A DMARC Record with the Quarantine policy may look like this:
v=DMARC1; p=quarantine; rua=mailto:dmarc-agg@example.com; |
How is DMARC Quarantine Policy Executed?
A quarantine policy means that email providers who receive messages from your end will check with DMARC to see if the message has passed DKIM or SPF authentication, and they will also check if the domain found in the address matches the domains found in either SPF or DKIM identifier alignment. If the criteria are met, then the email provider will deliver your message to the user’s inbox. However, if these criteria are not met, then the email provider will put your message in the spam folder or reject it outright
A Step-by-Step Analysis of The DMARC Quarantine Policy Functioning
1. When an email is sent, the receiver checks for the existence of a DMARC record.
2. If the message fails to pass SPF or DKIM, then it’s assessed based on the domain alignment parameters in the DMARC record, which are passed in with the DMARC check. Domain alignment refers to whether or not the domain in a From address matches the domain in an SPF record.
3. The treatment options defined by a DMARC policy are based on how closely aligned the message is with a sending domain.
4. If the sender passes authentication, then it will be delivered as usual.
5. On the contrary, if it isn’t closely aligned, then the applied DMARC policy (which in our case is p=quarantine) is executed.
6. The DMARC p=quarantine policy will instruct the receiving server to treat emails that fail DMARC authentication as suspicious; they will not be delivered straight to the user’s inbox, but they will also not be discarded entirely. They will be put in a spam or junk folder or flagged in some way so that the user knows the email is not authentic.
Importance of DMARC Quarantine Policy
DMARC is an effective tool for preventing email spoofing, and the Quarantine Policy is a great way to keep your inbox safe without making a lot of changes to your system.
Using p=quarantine tells your receiving mail server that all emails that do not have your domain name in the “From” field (or any other set criteria) should be quarantined by default.
For instance:
If a spammer tries to send an email from “admin@yourdomain.com” but doesn’t have access to the information necessary to sign it with DKIM or SPF, then the email will be quarantined instead of delivered. This protects your inbox from a lot of unwanted messages.
The Quarantine Policy is also great because it reduces false positives – since you’re just telling your receiving mail server to quarantine any emails that don’t meet a set criteria, you don’t need to worry about identifying which emails are malicious and which ones are coming from legitimate sources.
DMARC Quarantine Significance Explained with an Example
Let’s say you’re an HR rep for a company called Akme. One day, your boss sends you an email asking you to transfer $1,000 to the bank account of a vendor named Dynamic Corp.
You’ve never heard of this vendor before. You don’t even think your company works with vendors!
But since the message is from your boss’s email address and not some random account, you assume it’s legitimate. So you wire the money.
The next day, your boss asks why you sent DynamicCorp $1,000. You tell him you thought he asked you to. He tells you that it was someone pretending to be him who sent the email in question—and he never actually asked you to make that payment!
With DMARC Quarantine Policy, that never happens. If Akme established a DMARC quarantine policy via DMARC protocol (by publishing a DMARC TXT record), when someone spoofs the Akme domain and sends an email like this one purporting to be from Akme HR, the recipient’s inbox will flag the message as spam or junk mail, preventing the problem before it can even begin.
The Recommended Percentage of Quarantining Messages in DMARC Record
When you’re setting up your DMARC record, it’s important to remember that the quarantine action can cause you to lose some good emails. This is where the percentage value comes in—it tells the receiving mail servers what percentage of emails should be treated as spam. This means that for every 100 emails, only [x] will be quarantined.
For small organizations, we recommend a value of 10%. This means that if someone sends you an email that fails the DMARC check, there’s only a 1-in-10 chance that it will be quarantined as spam. That way, you’ll be reducing the risk of losing legitimate messages while still being able to test out your DMARC setup on real emails.
We recommend a much lower percentage for large organizations—about 1%. For large organizations, this means that if someone sends an email that fails DMARC authentication there is a 1-in-100 chance it’ll get quarantined as spam. When you’re running a large organization, you may need to trust certain senders based on their IP address or domain name alone–for instance, if your office building is located in a shared space and has a single IP address for all tenants.
An example of DMARC Record with the percentage tag:
v=DMARC1; p=quarantine; pct=10%; adkim=r; aspf=r; rua=mailto:dmarc-agg@example.com; pct= represents the percentage of emails you want to be sampled. So if you have a pct tag that says 100, then every email will be sampled. If you have a pct tag that says 10, then 1 out of every 10 emails will be sampled. |
p=none VS p=quarantine VS p=reject
- p=none simply means that your recipient servers will monitor for emails coming from your domain, but not block any messages that might be fraudulent. It’s a good way to start monitoring for fraud, but doesn’t do as much to prevent it from happening.
- p=quarantine is a way of telling recipient servers that you want them to put any emails sent from your domain that fail the SPF or DKIM checks into the spam folder of their inbox, instead of in their regular email inbox.
- p=reject takes things one step further by telling the recipient server to actually reject any emails sent from your domain that fail the SPF or DKIM checks. This means that those emails will never reach the inbox (or even the spam folder) of the user who receives them.
We hope you understand what DMARC Quarantine is and how it works. If you’re interested in learning more about DMARC, PowerDMARC offers a variety of tools to help with the process. These include a DMARC XML reader that summarizes your current DMARC record and detects any existing issues, as well as an SPF generator so you can create your own SPF records for your domain for free.
- Introducing DKIM2: The Future of Email Security - November 20, 2024
- BreakSPF Attacks: Outsmart the Hackers and Protect Your Email - November 13, 2024
- PowerDMARC Integrates with ConnectWise - October 31, 2024