What’s the Best DMARC Policy for My Domain?

Many folks I know set their DMARC policy to 'quarantine' first. But looking at our DMARC reports, we're ready to switch to 'reject'. Just remember, DMARC is only part of the spam detection puzzle; filters also look at SPF, DKIM, and more when scoring emails.

Deciding between 'reject' and 'quarantine' really hinges on whether you have a full understanding of all legitimate services sending from your domain. If you're certain, go with 'reject'. If not, start with 'quarantine' to catch any failed emails without losing them entirely.

I have my policy set to 'reject' once I’m sure every legitimate sender is configured correctly. The tools for managing DMARC, like Cloudflare, are quite effective for keeping everything monitored.

Setting it to 'p=none' provides time to evaluate your sending resources, ensuring no legitimate systems are overlooked. As for the RUA, it's helpful for identifying issues, especially if you have multiple providers sending on your behalf.

In my experience, DMARC acts as a guideline, but I block all emails that fail both SPF and DKIM checks, regardless of what the DMARC policy suggests. So, yes, changing it to 'reject' is definitely advisable.

I recommend going with 'reject'. Postmark has a user-friendly service that makes interpreting DMARC reports much easier.

Having an RUA is valuable; it helps track down issues with multiple email senders. We found out about a vendor's email problem using it. You can parse the reports yourself or use services like EasyDmarc. The 'pct' tag is great for gradually moving from 'none' to 'reject', ensuring a smooth transition without losing critical emails.

A solid tip is to check out Cloudflare for DMARC management. They have user-friendly tools perfect for most users, unless you're aiming for something more sophisticated.