Why it is so important to set the DMARC p-switch to reject.
Three things to remember:
The main purpose for DMARC is to set a policy (p). This policy contains the action that should take place when unauthenticated mail from this domain is received (and in no other case). The options are:
- none: to do nothing when authentication fails
- quarantine: to put the mail in the SPAM folder when authentication fails
- reject: to the message when authentication fails.
Only by using the reject policy can a domain be fully protected.
DMARC allows ISPs to rely not only on IP reputation, but also on domain reputation. Especially when sending via shared IPs, a good domain reputation can be helpful in delivering your emails to the right place. Without a DMARC record it is impossible for ISPs to reliably measure reputation for a domain.
Any domain owner that does not protect with DMARC is vulnerable for phishing and spoofing abuse. Whenever your domain can be abused by a third party, your overall reputation is likely to suffer.
DMARC reporting alone - as in the following example - does not provide protection against phishing and consequent loss in reputation. It provides reporting functionality only. Such a setting can be useful when evaluating the impact of switching the policy to reject. It is not useful in protecting your domain.