As email has become a vital communication channel for both personal and business purposes, malicious actors have exploited its vulnerabilities to deceive recipients, distribute malware, and steal sensitive information. DMARC addresses these concerns by enabling domain owners to specify how email receivers should handle messages that claim to originate from their domains.
A domain’s DMARC policy contains instructions for email receivers on how to handle emails that fail email authentication checks. The DMARC policy can specify three possible actions for failed emails:
- DMARC none policy
- DMARC quarantine policy
- DMARC reject policy
DMARC policy at “reject” significantly minimizes the risk of domain abuse, brand impersonation, phishing, and spoofing attacks.
What is a DMARC Policy?
A DMARC policy published at the DNS level is a set of TXT instructions that inform email receivers how to handle emails that fail authentication checks performed using SPF and DKIM. The policy also specifies an email address where receivers can report the results of these checks.
A DMARC policy serves three primary purposes – the enforcement of email authentication protocols, establishing a reporting mechanism and protecting your emails against attacks.
- Authentication Enforcement: Your DMARC policy helps set an enforcement level for your domain’s email security. It allows domain owners to specify how email receivers should handle emails that claim to originate from their domain but fail authentication checks (SPF and DKIM). The policy can instruct receivers to either quarantine or reject such emails. By enforcing authentication, DMARC helps prevent email spoofing and impersonation, as unauthorized emails are less likely to reach recipients’ inboxes.
- Reporting: A mechanism for email receivers to send reports back to the domain owners can be defined in your DMARC record, with information on authentication results of emails sent from the domain. These reports help in monitoring suspicious activities and improving email deliverability.
- Protection: Your DMARC policy can stop CEO fraud, fake invoices, BEC attacks, the spread of ransomware, login credential thefts, and various other email fraud techniques.
3 Types of DMARC Policy: p=reject, p=none, p=quarantine
The various DMARC policy types help domain owners determine the level of enforcement they want to exercise in terms of dealing with unauthorized emails. The available DMARC policy options are none, quarantine, and reject, depending on the level of DMARC enforcement you want to opt for. Here, p is the parameter that specifies DMARC policy:
- DMARC None: A “monitoring only” policy that serves no protection – good for the beginning stages of your deployment journey.
- DMARC Quarantine: Flags or quarantines unauthorized emails.
- DMARC reject: Blocks inbox access to unauthorized emails
1. DMARC None Policy
DMARC policy none (p=none) is a relaxed DMARC policy that is implemented during the initial implementation stages of DMARC to monitor email activities. It doesn’t provide any level of protection against cyberattacks.
Example: v=DMARC1; p=none; rua=mailto:[email protected];
- Monitoring: Gathering intel is the aim for domain owners who select the “none” policy, which denotes a lack of inclination towards strict email authentication. They’re not yet prepared to enforce such measures as they want to check the present condition of email authentication in cyberspace.
- No action: Receiving email systems under the “none” policy refrain from utilizing DMARC results to modify email delivery or handling. This policy is usually enacted during the early stages of implementing DMARC, as domain proprietors aim to evaluate the effect of their DMARC settings without taking chances of genuine emails being denied or held.
- Reporting: Despite the lack of enforcement, DMARC reports are generated by the “none” policy. The recipients of emails transmit aggregate reports to the domain owners, providing detailed authentication status information for emails that appear to originate from their domain.
Domain owners are supplied with these reports to better understand the realm of email authentication and calculate possible sources of abuse or misconfiguration.
2. DMARC Quarantine Policy
The quarantine policy (p=quarantine) provides some level of protection as the domain owner can prompt the receiver to roll back emails into the spam folder to review later in case of DMARC fail.
Example: v=DMARC1; p=quarantine; rua=mailto:[email protected];
Rather than solely rejecting unauthenticated emails, the “quarantine” policy offers the ability for domain owners to maintain security while also considering the possibility of false positives. Legitimate messages that fail DMARC authentication will not be lost, but instead placed in a separate location for closer inspection by the recipient. This approach differs from the strict “reject” method that sends unauthenticated emails back to the sender.
Unauthenticated emails are dealt with by various organizations using the intermediate “quarantine” policy before possibly moving on to the stricter “reject” policy. Such a policy provides an opportunity to assess the impact of DMARC on email delivery and make essential modifications before eventually completely rejecting such emails.
3. DMARC Reject Policy
Finally, the reject DMARC policy (p=reject) ensures that emails that fail authentication for DMARC are rejected and discarded by the receiver’s MTA, thereby providing max enforcement.
Example: v=DMARC1; p=reject; rua=mailto:[email protected];
DMARC reject can prevent phishing attacks and other fraudulent activities, and aims to enhance email security. Unauthenticated emails are rejected and this reduces the risks of recipients receiving malicious emails. The domain owner plays a key role in the reduction of such risks.
Rather than giving unauthenticated emails leeway by diverting them to a separate folder like the “quarantine” policy, the “reject” policy embodies a strict stance. Any emails that do not meet DMARC authentication requirements are outrightly prohibited from being delivered.
Thorough testing and planning are required to implement a “reject” policy to block harmful emails. Proper authentication of legitimate emails is crucial to prevent unintentional blocking of valid communication. Accordingly, it is important for domain owners to test their DMARC configuration and keep track of DMARC reports to detect and resolve any problems.
Which is the best DMARC policy type and why?
DMARC reject is the best DMARC policy if you want to maximize your email security efforts. This is because when on p=reject, domain owners actively block the unauthorized emails from their clients’ inbox. This provides a high degree of protection against direct-domain spoofing, phishing and other forms of impersonation threats.
- To monitor your email channels: If you simply want to monitor your email channels, a DMARC policy at p=none is enough. This policy will however not protect you against cyberattacks.
- To protect against Phishing and Spoofing Attacks: If you want to protect your emails against phishing attacks and direct-domain spoofing, a DMARC policy of p=reject is imperative. It provides the highest level of DMARC enforcement and effectively minimizes impersonation attacks.
- To review suspicious emails before they are delivered: If you don’t want to outright block unauthorized emails, instead, allow your receivers to review emails that fail authentication in their quarantine folder, a DMARC quarantine policy is your best bet.
Which DMARC policy prevents spoofing?
A DMARC p=reject policy is the only DMARC policy that is effective in preventing spoofing attacks. This is because DMARC reject blocks unauthorized emails from reaching your receiver’s inbox, thereby stopping them from accepting, opening, and reading bad emails.
Steps to setup your DMARC policy
Step 1: Enable SPF or DKIM for your domain by generating your free record.
Step 2: Create a DMARC record using our DMARC record generator tool. Make sure you fill in the DMARC p= parameter to define your DMARC policy like in the example blow:
v=DMARC1; pct=100; p=reject; rua=mailto:[email protected];
Step 3: Publish this record on your DNS
Troubleshoot DMARC policy errors
You should be wary of any syntax errors while setting up your record to make sure that your protocol functions correctly.
Errors while configuring the DMARC policy are common and can be avoided by using a DMARC checker tool.
DMARC sp Policy
If you configure a DMARC reject policy, but set up your subdomain policies to none, you will not be able to achieve compliance on all your outbound emails.
Set up DMARC policy with PowerDMARC
A smooth shift from p=none to p=reject DMARC policy
PowerDMARC’s extensive reporting mechanism offers 7 views and filtering mechanisms for your DMARC Aggregate reports on the DMARC analyzer dashboard to effectively monitor your email channels while on DMARC none.
Update and change your DMARC policy modes
Our hosted DMARC feature allows you to update your DMARC policy modes, shift to p=reject and monitor your protocol effectively and in real-time without entering your DNS management console.
Our 24-hour active support team helps orchestrate a smooth transition from a relaxed to an enforced DMARC policy so as to maximize your security while ensuring deliverability.
Contact us today to implement a DMARC policy and monitor your results easily!