life after p=reject

Domain owners often make the mistake of assuming that their email authentication journey ends at enforcement. Little do they know, the life after p=reject is an important phase that determines the overall strength of their domain’s email security posture. For continued protection against spoofing and phishing attacks, formulating an email security strategy that only just begins after you achieve enforcement is imperative.

What is P=Reject? 

The DMARC Policy has 3 definitive modes of enforcement that one can deploy, they are: 

  1. p=none (no action taken)
  2. p=quarantine (quarantines emails that fail DMARC) 
  3. p=reject (rejects emails in case of DMARC fail

Reject being the maximum policy of enforcement for DMARC, it helps domain owners block out spoofed or phishing emails before they reach client inboxes. Those who wish to leverage DMARC to protect their domains against email-based attack vectors may find p=reject to be a suitable policy mode. 

How to Reach P=Reject Mode? 

More often than not, domain owners try to rush through their protocol deployment process and expect to achieve enforcement as soon as possible. This however is not recommended. Let’s explain why: 

Risks associated with DMARC at reject

  • Shifting to enforcement at a very fast pace can lead to email deliverability issues 
  • It can lead to the loss of legitimate email messages 
  • It can result in DMARC failures for emails sent outside of your own domain 

What is the recommended practice?

While the reject policy comes with its own set of warnings and disclaimers, its effectiveness in preventing a variety of email fraud attacks is undeniable. So let us now explore ways to shift to reject safely: 

  • Start with p=none

Instead of starting with an enforced policy, it is heavily encouraged to start with something that offers more flexibility and liberty: and that is exactly what p=none does. This policy, although doesn’t do much in terms of protection, can serve as an excellent monitoring tool to assist in your implementation journey. 

  • Enable DMARC Reporting

Monitoring your email channels can help you prevent unwanted delivery failures due to misconfigured protocols. It can allow you to visualize and detect errors, and troubleshoot them faster. 

DMARC reporting can help you identify the effectiveness of your email authentication policy.

While email authentication is not a silver bullet, it can be an effective tool in your security arsenal. With DMARC reporting, you can see whether your efforts are working and where you may need to adjust your strategy.

There are 2 Types of Reports: 

  • Aggregate (RUA) is designed to help you track your email-sending sources, senders’ IP addresses, organizational domains, and geolocations 
  • Forensic (RUF) is designed to work as incident alert reports when a forensic event like spoofing takes place
  • Configure both SPF and DKIM along with DMARC

Too many cooks do not spoil the broth when it comes to DMARC implementation. Rather, security experts recommend pairing up DMARC with both SPF and DKIM for enhanced protection as well as to negative the possibility of false positives. It can also prevent unwanted DMARC fails. 

DMARC needs either SPF or DKIM to pass authentication. 

This plays a pivotal role in helping you safely implement a reject policy, ensuring that even if SPF fails and DKIM passes or vice versa, MARC will pass for the intended message.

  • Include all your sending sources

Missing out on sending sources in your SPF record can be especially damaging when you trying to avoid unwanted DMARC failures. It is important to make a list of all your email-sending sources (which would include third-party email vendors and service providers like Gmail, Microsoft O365, Yahoo Mail, Zoho, etc) 

This is especially important if you are only using SPF in combination with DMARC. Every time you add or remove a sending source, your SPF record must reflect the same changes. 

To Summarize your life after p=reject

Monitoring your email authentication protocols is an essential part of life after p=reject. It not only ensures that the effectiveness of your security measures is maintained but also gives you a deeper insight into their functionalities to determine what works best for you.  A DMARC analyzer helps you enjoy a smoother transition from p=none to reject, steer clear of deliverability issues, monitor your email channels, update protocol policies and troubleshoot issues on a single platform, easily.