DMARC reject policy

How to reach the DMARC reject policy for the ultimate protection against phishing and spoofing?

ByBrad Slavin
DMARC reject policy
DMARC Report
How to reach  DMARC reject policy for the ultimate protection against phishing and spoofing?
Loading
/

DMARC reject is the strictest policy, and every domain owner wants to set their DMARC records to this; however, the confidence to use this policy is difficult to come by. Banking, defense, healthcare, and other industries that deal with sensitive data rigorously aim to reach the ‘reject’ policy as soon as possible because their risk tolerance is quite low.

Ideally, one should begin with the ‘monitoring’ policy (none) and gradually progress to the ‘quarantine’ policy before setting the strictest configuration. But this is not as easy as it sounds; you need to keep track of false positives and negatives and find misconfigurations or ill-practices triggering it.  

In this blog, we’ll walk you through the path to setting the ‘reject’ policy without jeopardizing the flow of emails and inadvertently having them blocked.

What is DMARC enforcement?

DMARC enforcement is the application of strict policies so that unauthorized emails sent from your domain don’t land in the primary inboxes of targeted recipients. It protects your brand name from being exploited in malicious activities like business email compromise, executive spear phishing, exact-domain phishing, and brand impersonation attacks.

Enforcement occurs when a domain owner sets a DMARC policy to either quarantine or reject. Apart from offering protection from phishing and spoofing, DMARC enforcement also helps with email deliverability. Most email service providers consider the sender’s domain reputation when making delivery decisions. This simply implies that emails sent from a domain with a good sender’s reputation will be highly likely to pass the authentication and security checks, getting placed in the primary inboxes of recipients. However, if the sender’s reputation of the domain is poor, emails are more prone to getting marked as spam or bouncing back. 

DMARC policies

A domain owner has the choice to set one of the three DMARC policies for instructing receiving mail servers on how to deal with unauthorized emails sent from their domain. These three policies are-

p=none

The ‘none’ (p=none) DMARC policy is a monitoring-only mode that allows domain owners to collect DMARC reports without affecting email delivery. When set to ‘none,’ email receivers evaluate messages based on SPF and DKIM authentication but do not take any action against emails that fail these checks. Instead, detailed reports are sent to the domain owner, providing visibility into email sources, authentication failures, and potential spoofing attempts.

This policy is typically used as a starting point for organizations implementing DMARC, enabling them to analyze email flows, identify unauthorized senders, and fine-tune their authentication setup before enforcing stricter policies like quarantine or reject.

phishing and spoofing attacks

p=quarantine

The ‘quarantine’ policy is stricter than the ‘none’ policy and lenient than the ‘reject’ policy. It instructs the recipients’ mail servers to place the emails that failed the DMARC checks in the spam or junk folders instead of delivering them to the primary inboxes. This policy offers partial enforcement by reducing the risk of phishing and spoofing attacks. It allows domain owners to monitor the impact before taking stringent action like entirely blocking unauthorized emails

Most DMARC records don’t go beyond this policy as it still accommodates instances of false positives; so, if a genuine email sent from your domain gets falsely marked as illegitimate, then it will still be placed in the spam folder. This means there are still chances that the recipient will open and engage with it. Companies that can’t afford to have frequent bounce-backs find it feasible and invulnerable to stay on the ‘quarantine’ policy

p=reject

The ‘reject’ policy is the strictest DMARC configuration. It instructs the recipients’ mail servers to reject emails from your domain that fail DMARC authentication. With this policy in place, unauthorized or spoofed emails pretending to be sent by you or your representative are not delivered, preventing them from reaching the targeted recipients’ inboxes or spam folders. 

spoofed emails

Implementing the ‘reject’ policy is the most effective way to protect a domain from phishing and spoofing attacks. However, organizations typically transition to this policy gradually, starting with ‘none’ for monitoring, then ‘quarantine’ to test enforcement, and finally ‘reject’ once they are confident that all legitimate email sources are properly authenticated.

The ideal approach to reach the strictest configuration in DMARC

To safely transition from p=none to p=reject, domain owners or administrators must follow a structured approach over a few months, ensuring minimal disruptions to legitimate email flow. 

Here’s a step-by-step transition plan-

1. Deploy SPF and DKIM (week 1-2)

DMARC is based on SPF and DKIM results. For an email to pass DMARC, it has to pass at least one of the protocols, if not both. So, create an SPF record, define authorized mail servers in it, and update it on your domain’s DNS. Next, generate public and private DKIM keys, publish the public key in DNS as a TXT record, and ensure mail servers sign outgoing emails with the private key.

DMARC records

2. Implement DMARC in monitoring mode (month 1-2)

After implementing SPF and DKIM with proper configurations, create a DMARC record for your domain and set it to p=none. Enable aggregate and forensic reports to get insights into which emails fail authentication checks. A regular and careful analysis of these reports will help you evaluate the frequency of false positives and the factors triggering them. These could be misconfigurations in SPF, DKIM, and DMARC records or wrong sending practices (like sending hundreds of emails without warming up the domain). 

Apart from false positives, you also need to notice if an unauthorized server is being used to send emails from your domain. If detected, investigate further.

Before you move forward, ensure there are no major email delivery failures from legitimate sources. 

email delivery

3. Move to partial DMARC enforcement (month 3-4)

Gradually enforce quarantine policy using the percentage tag (pct tag). This DMARC tag helps the domain owner pre-specify the percentage of failing emails to which the policy (quarantine or reject) should be applied. This allows a strategic, phased enforcement without being harsh with outgoing emails. 

So, start with p=quarantine; pct=25, sending only 25% of failed emails to spam. For best results and efficient advancement towards the strictest enforcement, increase the percentage every 2-4 weeks until you reach 100%.

While practicing this, don’t forget to monitor the impact on delivery. To check this, keep evaluating the aggregate and forensic reports. Also, review the spam rates in email logs. 

4. Full quarantine (month 5-6)

To achieve ‘full quarantine,’ you need to enforce pct=100. When this is done, all the unauthorized emails sent from your domain will be placed in the spam or junk folders of the recipients’ mailboxes, minimizing the chances of them engaging with a potential fraudulent message sent in your name. 

spam

5. Strictest enforcement (month 6-8)

Since ‘p=reject’ is the strictest policy, starting with partial enforcement with pct=50% is better. This means the policy affects 50% of unauthorized emails from your domain, allowing some false positives to be delivered, even if they end up in the spam folder. Gradually increase the percentage, ideally once every 3-4 weeks. Try achieving full ‘reject’ with pct=100, but it’s okay not to reach the strictest configuration if your organization can’t afford any false positives. 

Keep DMARC reporting enabled

No matter what stage of DMARC enforcement you are at, don’t stop evaluating aggregate and forensic reports. These reports help you know if an illegitimate person is sending emails from your domain. What else these reports help in is knowing the situation of false positives. If there are too many false positives, it’s suggested that you transition back to less strict policies so that communication doesn’t get hampered. We at DMARCReport can help you manage these reports and give you suggestions on policy adjustments. Contact us today to fix your DMARC reporting issues. 

Similar Posts

Social engineering attacks- techniques and prevention

Social engineering attacks- techniques and prevention

ByBrad Slavin

Social engineering is the persuasion or manipulation of human psychology by threat actors to achieve a malicious goal. The aim is to fool targets into trusting threat actors and lowering their guards so that they can invade systems to steal data, install malware, intercept important documents, make fraudulent financial transactions, etc. They may also ask…

How can MFA and DMARC secure your online presence?

How can MFA and DMARC secure your online presence?

ByBrad Slavin

Just when you thought your details were safe online, news breaks out about another grave data breach or phishing attack. You’re not alone in this; it is true that more than one million people join the internet every day! In 2024, so far, the damages caused by cyberattacks have reached 9.5 trillion USD globally.  Guess…

‘No DMARC Record Found’ Bug Bounty is Actually a Beg Bounty- Don’t Fall For it

‘No DMARC Record Found’ Bug Bounty is Actually a Beg Bounty- Don’t Fall For it

ByBrad Slavin

A bug bounty is a program that allows ethical hackers to find vulnerabilities in a system or software, and they are rewarded for it. Usually, the reward is in the form of money, and sometimes it’s done in exchange for favors. As of 2020, the average bounty payout is the highest in the software industry,…

What is a DKIM Replay Attack and How to Prevent it?

What is a DKIM Replay Attack and How to Prevent it?

ByBrad Slavin

In 2023, as many as 45.6% of total emails were identified as spam. While CISOs and technology enthusiasts are trying their best to ward off these attacks, cybercriminals are not behind in exercising their brain muscles to come up with newer ways of exploitation.  One such relatively recent technique is a DKIM replay attack, where…

How SPF Can Help Organizations in Improving Email Security and Thwarting Spam, Phishing, and Email Spoofing

How SPF Can Help Organizations in Improving Email Security and Thwarting Spam, Phishing, and Email Spoofing

ByBrad Slavin

Email security is of utmost importance for any business today. Email continues to remain the primary means of business communication, and as such, the concerns regarding unwanted spam emails, email spoofing, phishing, and other email attacks are justified. Email authentication standards, such as SPF, are the best tool in any organization’s arsenal against email threats….