DMARC Policies Explained: How to Choose the Right Policy for Your Domain
Listen to this blog post below
As a domain owner, you choose the power of DMARC, and its strength is entirely in your hands. However, you must stay informed before picking the best DMARC policy for your domain.
Although there is no right or wrong way to choose a DMARC policy (because it depends on the organization’s needs), some policies help mailbox providers more in filtering malicious messages and stopping brand spoofing. It depends on how domain owners choose the DMARC policy.
DMARC Explained
As an email authentication protocol, DMARC (Domain-based Message Authentication, Reporting, and Conformance) prevents malicious actors from spoofing your domain. It works combined with two other robust authentication tools, DKIM (DomainKeys Identified Mail) and SPF (Sender Policy Framework), to verify the authenticity of an email.
Image sourced from dmarc.org
In simple words, DMARC helps recipients identify if an email originates from a domain unapproved by the organization and instructs them as to what to do with the unauthorized emails. A domain owner publishes the DMARC policies in its DNS as a TXT record.
Which Options Do You Have for Setting the DMARC Policy?
As a domain owner, you will have three options to set up your DMARC policy:
1. p=none
When using this policy, you will not make any decision about the emails. Instead, the judgment of the mailbox provider prevails concerning the approval or rejection of an email failing authentication. Mostly, the mailbox providers will not take any action for emails failing authentication. They will deliver the emails unless it is evident that they are spam.
2. p=quarantine
If an email fails authentication, the ‘p=quarantine’ policy will instruct the mailbox providers to move it to junk or spam folders. These messages can also get blocked.
3. p=reject
The most robust DMARC policy, it will ensure all malicious emails are stopped. If a message fails the DMARC check, the ‘p=reject’ policy prevents it from being delivered.
p=quarantine: What to Expect?
With the ‘p=quarantine’ policy, you instruct mailbox providers to move emails that fail the DMARC check to the recipient’s spam folder. You must remember two important details about these DMARC policies:
- The recipient can accept these messages and treat them as spam. They will go to the recipient’s spam folder for consumer-oriented mailboxes (e.g., gmail.com, yahoo.com, hotmail.com). For a business-oriented mailbox (e.g., Google Workgroups, Microsoft 365, Mimecast), these messages can land in a quarantine folder managed by their IT staff.
- Only the recipients witness the impact of the ‘p=quarantine’ policy. The senders do not receive notifications; Recipients will notice that the email is being treated as spam.
p=reject: What to Expect?
This DMAR policy instructs the recipient mailbox to reject the email permanently, and the sending server receives a 5XX series hard bounce message. Many users consider ‘p=reject’ the best DMARC policy as it is a robust protection from unauthenticated emails, including malicious emails and shadow IT, that may originate in your domain’s name.
Why Is p=none Policy Not Recommended?
A ‘p=none’ policy means no action is taken to stop phishing attacks and protect the information system from malicious emails. Deploying ‘p=quarantine’ or ‘p=reject’ policies will reflect the true character of DMARC. It would be best to use the ‘p=none’ policy only when testing whether your DMARC policies are working correctly and avoid it in practical operational scenarios.
Final Words: Setting DMARC Policy for Your Domain
With the correct information, you can now choose a DMARC policy suitable for your domain. A policy escalation could be the best suggestion instead of directly jumping to the ‘p=reject’ policy. It is safer to start with ‘p=none’ and gradually move to ‘p=quarantine.’ It is so because ‘p=none’ will deliver all your emails to the recipients, and you can analyze the reports and monitor the emails sent from your domain. Thus, you can segregate authentic sources from unauthentic ones without affecting deliverability. Subsequently, you can move to other policies based on your observations about the incoming emails.