If your domain is already compliant with DMARC, you still have to ensure that SPF, DKIM, and DMARC protocols are appropriately configured, and that a suitable 7 is enforced. ‘Reject’ is the strictest policy when it comes to email security, but it may cause email deliverability issues for genuine messages as well.
If you don’t use a reporting system to monitor authentication, it will take months for you to find out that some of your legitimate emails didn’t make it to recipients’ mailboxes at all. This can severely impact your conversation with clients and prospects while also nullifying email marketing efforts.
Experts advise setting the policy of your DMARC implementation to None at the initial stage as it lets you start getting reports without risking your emails being rejected or marked as spam.
But when is the right time to switch your policy, and how to do it the right way? Well, read the blog to get all the answers.
You can set your DMARC record to one of the three policies.
None policy, also called Monitoring Only Policy, instructs Internet Service Providers to deliver reports to the email address mentioned in your record’s RUA or RUF tag. The policy doesn’t harm your email deliverability at all, as it only shares deep insights into your email channel.
When you set your record to the None, no action is taken against emails failing authentication checks. This means they are neither marked as spam nor rejected outrightly.
Quarantine policy delivers reports and instructs ISPs to mark all emails failing authentication as spam or otherwise lodges them in your quarantine folder instead of your email inbox. Emails passing authentication are delivered normally to recipients’ primary inboxes.
The Reject policy instructs ISPs to outrightly reject the entry of all emails failing authentication checks. Emails passing authentication are delivered normally to recipients’ primary inboxes. The downside of the Reject policy is that sometimes legitimate emails also get rejected, harming conversations with clients and prospects on multiple levels.
When is the Right Time to Set DMARC Policy to Reject?
You need to monitor your email-sending domain’s performance and activities before resetting the policy. Channel insights enable you to configure your record properly for an effective and non-erroneous email authentication process.
The ideal time to switch to the Reject is once all the sources are authorized and their DMARC compliance has reached around 100%. This practice ensures a good deliverability rate for genuine emails.
You can also set your policy for DMARC to apply only to a pre-specified percentage of emails sent from your domain. All you need to do is add a percentage tag (pct) to the DMARC record, and this will minimize the risk of poor email deliverability. In addition, a ‘pct’ tag increases the possibility of successful delivery of genuine emails sent from your domain.
How to Plan a Smooth Transition From DMARC None to DMARC Reject?
Follow this step-by-step guide to enforce the strictest DMARC policy.
Step 1: Start DMARC Monitoring
The best course of action to safely transit from the None to Reject policy is using DMARC monitoring services with PowerDMARC. You can choose to receive two types of DMARC reports-
Aggregate Reports (RUA)
You receive aggregate reports daily with detailed insight into your domain’s traffic. It consists of a list of IP addresses that have attempted to send emails through your domain.
Forensic Reports (RUF)
Forensic reports are sent right after an email from your domain fails to be delivered. A RUF report always includes original message headers and may consist of original messages as well.
Stay on the None policy during the initial monitoring stage to understand your mail flow without impacting its performance.
Step 2: DMARC Report Analysis
While using the None policy, configure your email-sending domain’s SPF and DKIM records for optimum email security. Meanwhile, also focus on carefully monitoring all the reports you receive as they inform you which DKIM selectors are used and which senders are sending emails from your domain. The reports also tell the percentage of emails passing and failing authentication checks.
Also, remember to be within the 10 DNS lookup limit. If it’s a problem for you to remove mechanisms, use the SPF flattening approach to instantly mitigate the SPF PermError and stay under SPF 10 lookup limit.
Don’t skip using a different DKIM selector for each sender, and only include selectors in use. Apart from this, keep your DKIM keys secured and change them regularly.
Step 3: Switch to Quarantine
After properly configuring SPF and DKIM, you can shift to the Quarantine policy from the none policy. On enforcing it, recipients’ mailboxes will redirect all unauthenticated emails sent from your domain to spam folders.
To check if it’s the right time to shift to the Quarantine policy, you need to see what percentage of emails are failing authentication. Switch your policy only when a small percentage of promotional emails fail authentication. The preparedness to enforce the Quarantine policy can vary from domain to domain.
Moreover, take benefit of the percentage tag and start by setting the pct tag to 5 or 10%. This would mean that only 5 to 10% of the unauthenticated emails will be redirected to spam. Then, you can gradually raise the percentage.
Step 4: Finally, Switch to Reject
When you’ve completely switched to the Quarantine policy, and only a few emails are being marked as spam, you can switch to the Reject policy. It won’t hamper email flow and deliverability, if appropriately enforced. Remember that the Reject policy outrightly blocks the entry of unauthenticated emails from recipients’ inboxes.
If your important conversations still land in the spam folders, you aren’t ready to switch to the reject policy. Instead, make a smooth transition by enforcing it for a small percentage, just as you did in Quarantine. When you’re sure that most of your important messages are reaching the intended recipients’ inboxes, you can transit to 100 percent enforcement.
Is Reject Policy Always the Most Efficient Choice?
Irrespective of how carefully you authenticate your records, only a few domain owners achieve 100% DMARC compliance on all the valid sources. 100% of the Reject policy enforcement might result in the non-deliverability of some important messages as well. But on the brighter side, it fully protects you against impersonation, phishing, and abuse.