Posts

Within DMARC there is a quarantine policy tag p=quarantine which means emails are tagged as spam and then forwarded to the owner of that domain for review. This catches most of the spoofing domains ahead of time. This guide is designed to help you understand what DMARC Quarantine is and how DMARC works with the p=quarantine policy.

What is DMARC Quarantine?

DMARC Quarantine is one of the three DMARC policies (the other two being p=none and p=reject) that instructs the email receiving server to place all emails that fail DMARC authentication into the recipient’s spam/junk folder.

When you set a DMARC policy to p=quarantine, you’re telling email servers that if an email fails DMARC authentication, the server should quarantine that email. “Quarantining” an email means it will still be delivered to the recipient’s inbox, but it will be flagged as suspicious and sent to the recipient’s spam folder (or “junk mail”) instead of the inbox.

Here is how you can locate your spam folder on GMAIL.

A DMARC Record with the Quarantine policy may look like this:

v=DMARC1; p=quarantine; rua=mailto:[email protected];

How is DMARC Quarantine Policy Executed?

A quarantine policy means that email providers who receive messages from your end will check with DMARC to see if the message has passed DKIM or SPF authentication, and they will also check if the domain found in the address matches the domains found in either SPF or DKIM identifier alignment. If the criteria are met, then the email provider will deliver your message to the user’s inbox. However, if these criteria are not met, then the email provider will put your message in the spam folder or reject it outright 

A Step-by-Step Analysis of The DMARC Quarantine Policy Functioning

1. When an email is sent, the receiver checks for the existence of a DMARC record.

2. If the message fails to pass SPF or DKIM, then it’s assessed based on the domain alignment parameters in the DMARC record, which are passed in with the DMARC check. Domain alignment refers to whether or not the domain in a From address matches the domain in an SPF record.

3. The treatment options defined by a DMARC policy are based on how closely aligned the message is with a sending domain.

4. If the sender passes authentication, then it will be delivered as usual.

5. On the contrary, if it isn’t closely aligned, then the applied DMARC policy (which in our case is p=quarantine) is executed.

6. The DMARC p=quarantine policy will instruct the receiving server to treat emails that fail DMARC authentication as suspicious; they will not be delivered straight to the user’s inbox, but they will also not be discarded entirely. They will be put in a spam or junk folder or flagged in some way so that the user knows the email is not authentic.

Importance of DMARC Quarantine Policy

DMARC is an effective tool for preventing email spoofing, and the Quarantine Policy is a great way to keep your inbox safe without making a lot of changes to your system.

Using p=quarantine tells your receiving mail server that all emails that do not have your domain name in the “From” field (or any other set criteria) should be quarantined by default.

For instance:

If a spammer tries to send an email from “[email protected]” but doesn’t have access to the information necessary to sign it with DKIM or SPF, then the email will be quarantined instead of delivered. This protects your inbox from a lot of unwanted messages.

The Quarantine Policy is also great because it reduces false positives – since you’re just telling your receiving mail server to quarantine any emails that don’t meet a set criteria, you don’t need to worry about identifying which emails are malicious and which ones are coming from legitimate sources.

DMARC Quarantine Significance Explained with an Example

Let’s say you’re an HR rep for a company called Akme. One day, your boss sends you an email asking you to transfer $1,000 to the bank account of a vendor named Dynamic Corp.

You’ve never heard of this vendor before. You don’t even think your company works with vendors!

But since the message is from your boss’s email address and not some random account, you assume it’s legitimate. So you wire the money.

The next day, your boss asks why you sent DynamicCorp $1,000. You tell him you thought he asked you to. He tells you that it was someone pretending to be him who sent the email in question—and he never actually asked you to make that payment!

With DMARC Quarantine Policy, that never happens. If Akme established a DMARC quarantine policy via DMARC protocol (by publishing a DMARC TXT record), when someone spoofs the Akme domain and sends an email like this one purporting to be from Akme HR, the recipient’s inbox will flag the message as spam or junk mail, preventing the problem before it can even begin.

The Recommended Percentage of Quarantining Messages in DMARC Record

When you’re setting up your DMARC record, it’s important to remember that the quarantine action can cause you to lose some good emails. This is where the percentage value comes in—it tells the receiving mail servers what percentage of emails should be treated as spam. This means that for every 100 emails, only [x] will be quarantined.

For small organizations, we recommend a value of 10%. This means that if someone sends you an email that fails the DMARC check, there’s only a 1-in-10 chance that it will be quarantined as spam. That way, you’ll be reducing the risk of losing legitimate messages while still being able to test out your DMARC setup on real emails.

We recommend a much lower percentage for large organizations—about 1%. For large organizations, this means that if someone sends an email that fails DMARC authentication there is a 1-in-100 chance it’ll get quarantined as spam. When you’re running a large organization, you may need to trust certain senders based on their IP address or domain name alone–for instance, if your office building is located in a shared space and has a single IP address for all tenants.

An example of DMARC Record with the percentage tag:

 

v=DMARC1; p=quarantine; pct=10%; adkim=r; aspf=r; rua=mailto:[email protected];  

pct= represents the percentage of emails you want to be sampled. So if you have a pct tag that says 100, then every email will be sampled. If you have a pct tag that says 10, then 1 out of every 10 emails will be sampled.

p=none VS p=quarantine VS p=reject

  •  p=none simply means that your recipient servers will monitor for emails coming from your domain, but not block any messages that might be fraudulent. It’s a good way to start monitoring for fraud, but doesn’t do as much to prevent it from happening. 
  •  p=quarantine is a way of telling recipient servers that you want them to put any emails sent from your domain that fail the SPF or DKIM checks into the spam folder of their inbox, instead of in their regular email inbox. 
  • ​​p=reject takes things one step further by telling the recipient server to actually reject any emails sent from your domain that fail the SPF or DKIM checks. This means that those emails will never reach the inbox (or even the spam folder) of the user who receives them.

We hope you understand what DMARC Quarantine is and how it works. If you’re interested in learning more about DMARC, PowerDMARC offers a variety of tools to help with the process. These include a DMARC report analyzer that summarizes your current DMARC record and detects any existing issues, as well as an SPF generator so you can create your own SPF records for your domain for free.

If you keep coming across the prompt “ DMARC policy not enabled” for your domain, that means that your domain is not protected against spoofing and impersonation with DMARC email authentication. You may often encounter this prompt while conducting reverse DNS lookups for your domain. However, it often has an easy fix to it. Through this article, we are going to take you through the various steps you need to implement to configure DMARC and set up the right policy for your domain so that you never have to come across the “DMARC policy is not enabled” prompt again!

Configuring DMARC to Protect Against Spoofing 

DMARC, which is the abbreviation for Domain-based Message Authentication, Reporting and Conformance, is a standard for authenticating outbound email messages, to ensure that your domain is adequately protected against BEC and direct-domain spoofing attempts. DMARC works by aligning the Return-path domain (bounce address), DKIM signature domain, and From: domain, to look for a match. This helps to verify the authenticity of the sending source and stops unauthorized sources from sending emails that appear to be coming from you.

Your company domain is your digital storefront that is responsible for your digital identity. Organizations of all sizes make use of email marketing to gain reach and engage their clients. However, if your domain gets spoofed and attackers send out phishing emails to your customers, that drastically impacts not only your email marketing campaigns, it also takes a toll on the reputation and credibility of your organization. This is why adopting DMARC becomes imperative to safeguarding your identity.

In order to start implementing DMARC for your domain:

  • Open your DNS management console
  • Navigate to the records section
  • Publish your DMARC record which you can generate easily using our free DMARC record generator tool and specify a DMARC policy to enable it for your domain (this policy will specify how the receiving MTA responds to messages failing authentication checks)
  • It can take 24-48 hours for your DNS to process these changes, and you’re done!
  • You can verify the correctness of your record using our free DMARC record lookup tool after configuring it for your domain

How to Fix “DMARC Quarantine/Reject Policy Not Enabled”

When you get a warning of “DMARC Quarantine/Reject policy not enabled” or sometimes just “DMARC policy not enabled” or “ No DMARC protection” that simply indicates to your domain is configured with a DMARC policy of none that allows monitoring only.

If you are just starting out on your email authentication journey, and you want to monitor your domains and email flow to ensure smooth email delivery, then we recommend you start off with a DMARC policy of none. However, a none policy offers zero protection against spoofing, and hence you will come across the frequent prompt: “DMARC policy not enabled”, where you are reminded that your domain isn’t adequately protected against abuse and impersonation.

In order to fix this, all your need to do is modify the policy mechanism (p) in your DMARC record from p=none to p=reject/quarantine, and thereby shift to DMARC enforcement. If your DMARC record was previously:

v=DMARC1; p=none; rua=mailto:[email protected]; ruf=mailto:[email protected];

Your optimized DMARC record will be:

v=DMARC1; p=reject; rua=mailto:[email protected]; ruf=mailto:[email protected];

Or, v=DMARC1; p=quarantine; rua=mailto:[email protected]; ruf=mailto:[email protected];

I Fixed “DMARC Policy Not Enabled”, What Next?

After resolving the “DMARC policy not enabled” prompt, monitoring domains should be a continuous process to ensure DMARC deployment doesn’t affect your email deliverability, rather improves it. DMARC reports can help you gain visibility on all your email channels so that you never miss out on what’s going on. After opting for a DMARC enforcement policy, PowerDMARC helps you view your email authentication results in DMARC aggregate reports with easy-to-read formats that anyone can understand. With this, you might be able to see a 10% increase in your email deliverability rate over time.

Moreover, you need to ensure that your SPF doesn’t break due to too many DNS lookups. This can lead to SPF failure and impact email delivery. Dynamic SPF is an easy fix to stay under the SPF hard limit as well as updated on any changes made by your ESPs at all times.

Make your DMARC deployment process as seamless as it can get, by signing up with our free DMARC analyzer today!