"Why are our emails broken? What did you change?"
Every Managed Service Provider (MSP) has been there. Your client hired a web developer who decided to send emails from their domain without telling anyone. Now the customer is missing sales leads, and somehow it's your fault.
Here's why DMARC p=reject
policies actually protect you from these situations better than p=quarantine
- and make your life easier when shadow IT inevitably happens.
Some DMARC guides tell you to use p=quarantine
because it's "safer". But when a web developer or marketing consultant starts sending unauthenticated emails from your client's domain, those emails end up in junk folders.
The real problem: p=quarantine
creates ambiguity. Is it a configuration issue with legitimate senders? A deliverability problem? Or unauthorised sending? You can't tell without deep analysis.
With p=reject, unauthorised senders fail immediately and completely. No emails delivered, no junk folders, no confusion.
When that web developer tries sending from your client's domain:
The setup: Professional services client with Microsoft 365, properly configured DMARC p=quarantine policy.
What happened: Client's web developer set up a new contact form on their website sending sales leads from their domain through a third-party platform—without telling anyone.
p=quarantine result:
What p=reject would have done:
MSPs deal with shadow IT constantly:
With p=quarantine: Shadow IT mail may be festering in junk folders.
With p=reject: Shadow IT senders fail fast and contact the client to fix authentication.
The traditional argument against p=reject was "you might block legitimate senders by accident". But with tools like VerifyDMARC's Sender Compliance Report, you can see all senders and their overall compliance across all domains.
Correctly configured DKIM is important with p=reject
policies as some types of mail cannot pass SPF checks. VerifyDMARC's No DKIM Senders report makes it easy to identify legitimate senders that have passed SPF checks but do not have DKIM correctly enabled.
p=quarantine support flow:
p=reject support flow:
p=reject
doesn't just provide better security—it provides better business protection for MSPs. When unauthorised senders fail cleanly, you're not the first person clients call about email problems.
Your clients get clear outcomes: email either works perfectly or fails with obvious error messages. No gray areas, no spam folder investigations, no lengthy troubleshooting sessions for problems you didn't create.
VerifyDMARC's Sender Compliance Report gives you the visibility to deploy p=reject
policies safely across all client domains. See every sender's authentication status in one place and implement policies that protect both your clients and your sanity.
Start your 30-day free trial and experience how p=reject
actually makes client management easier.
A practical guide for MSPs and SMEs to implement DMARC, SPF and DKIM protection for Microsoft 365, Office 365 and Exchange Online email services.
To fix "does not meet the required authentication level" from Microsoft, you need a DMARC record, SPF and DKIM passing, plus SPF or DKIM alignment.
Explore inbound email security for SMEs: Compare MTA-STS and DANE with practical guidance on enhancing security using TLS reporting and MTA-STS.