Switch From p=quarantine to p=reject in DMARC?

It’s no news that domains compliant with DMARC are less vulnerable to becoming targets of phishing-based cyberattacks than the ones not using it. In fact, domains without DMARC enforcement are 4.75x more likely to be the target of spoofing versus domains with DMARC enforcement. 

There are 3 DMARC policies and each of them represents an action that recipients’ mail servers are instructed to take against unauthentic email sources. This blog revolves around these policies and explains which one you should set, depending upon the nature and intricacies of your business architecture and domain utility. 

DMARC Policies: None, Quarantine, and Reject

DMARC stands for Domain-based Message Authentication, Reporting, and Conformance. It’s an email authentication and security protocol that defines what to do with emails sent from your domain that fail SPF and/or DKIM checks. It’s such an important and result-driven security method that now it’s mandatory for PCI DSS compliance. This is to safeguard customer details to ward off potential phishing and spoofing attacks.

The 3 DMARC policies are none, quarantine, and reject. You can change them as and when you want, but monitoring DMARC reports for your domain is always good for evaluating the right time to make these transitions. We’ll talk about this in the following sections, but let’s just quickly learn what actions do each of the DMARC policies represent-

Image sourced from threatcop.com

Monitor or None Policy (p=none)

It’s the starting point of DMARC implementation, where domain owners just monitor and evaluate the outgoing (sometimes even incoming) email traffic for both authorized and unauthorized senders. This phase helps them take into account how their domains are being used and if they are under the radar of malicious actors.

Quarantine Policy (p=quarantine)

It’s the first stage of the transition from a lenient to a stricter policy. The quarantine policy tells recipients’ mailboxes to mark emails from unauthorized senders as suspicious and place them in spam folders

You need to take into consideration the fact that the DMARC authentication process also raises false positives. This means, at times, even genuine emails are misjudged as fraudulent. So, if you have set your DMARC record to p=quarantine, then messages misidentified as phishy will still show up in the desired recipients’ mailboxes, even if they are placed in the spam folders and not primary inboxes. 

For example, you launched an email marketing campaign, and 10% of your emails raise false positives during authentication. Now, this 10% of marketing emails will still appear in the spam folders, which won’t completely eliminate the chances of recipients engaging with them. In this situation, your efforts won’t go to complete waste. 

Moreover, this intermediate step prepares you for the strictest policy. You need to be sure that, if not all, then most of your emails are passing through the DMARC authentication checks. In simpler words, you wait for minimum false positive instances. 

Reject Policy (p=reject)

It’s the strictest policy that directs to reject emails that fail DMARC authentication. It’s the ultimate goal of DMARC deployment; however, not all domain owners have the confidence to reach this level of security due to instances of false positives. Probably, that’s the reason that, as of June 2023,  only 48% of banks in the UK have implemented the reject policy.

So, When Should You Switch From None to Quarantine to Reject?

You need to start receiving DMARC reports regularly to analyze the utility and susceptibility of your domain before switching policies. Start with the none policy and review the activities for a few weeks, and then you can move on to the quarantine policy

However, you can’t be swift in transitioning from quarantine to reject as it involves the risk of losing out on important conversations with clients, prospects, employees, investors, etc., due to false positives.

Ideally, the switch should happen in parts, which means you should start by applying the strictest DMARC policy to only a small pre-specified percentage of emails. This is done using the percentage tag (pct)

For example:  p=reject; pct=20

The above example specifies that the reject policy is applied to 20% of the outgoing messages.

You can gradually increase the percentage as you gain confidence from monitoring DMARC reports. 

Step-by-Step Guide to Make a Smooth Transition

As aforesaid, you need to plan the transition to ensure your email conversations and campaigns aren’t getting affected; after all, you have implemented DMARC for a better email infrastructure and not the other way around. 

Here, we have laid down a basic plan that you can twitch as per your business domain’s requirements and working style.

Step 1: Start Receiving Reports

There are two types of DMARC reports: RUA and RUF. RUA reports include insights into email traffic, while RUF reports are sent when malicious activity is suspected. We automatically send these reports to the email address provided by you, eliminating the need to log into any portal. 

To start receiving these reports, you just need to add rua and ruf tags to your DMARC record.

Step 2: Diligently Evaluate the DMARC Reports

Regularly analyze DMARC reports during the “none” policy phase to gain insights into the sources of email traffic. Look for anomalies, unauthorized senders, or suspicious patterns that may indicate phishing attempts.

Step 3: Switch to Quarantine

It’s best to make the move when only a small percentage of your emails experience authentication failures. The readiness for this transition differs, depending upon the nature of the domain and business intricacies involved.

Leverage the benefit of the pct tag by configuring it to a small percentage at first. Make gradual adjustments to make the process smooth.

Step 4: Switch to Reject

Move to the strictest policy when there are minimal instances of false positives. Properly enforced, the Reject policy doesn’t adversely impact email flow and deliverability. Delay the switching decision if important emails are still landing in spam folders. Once you’re confident that most vital messages reach recipients’ inboxes, you can proceed to 100 percent enforcement.

Critical Considerations for Transitioning Policies

Here’s what you need to keep in mind-

Gradual Policy Implementation

Abrupt policy transitions give hackers the opportunity to trick recipients’ mail servers and have fraudulent emails placed in the primary inboxes. Moreso, it jeopardizes genuine communications between your company and clients or prospects on multiple levels.

Collaboration With Third-Party Senders

Ensure third-party senders implement DKIM and SPF for aligning with your DMARC policy. Otherwise, genuine emails sent by them will be misidentified as fraudulent by recipients’ mail servers.

Monitoring and Adjusting

Make adjustments to your policies as per your evaluation of DMARC reports.

User Education

Communicate policy changes to internal stakeholders and educate users about the importance of DMARC in enhancing email security. Provide guidance on recognizing and reporting suspicious emails.

DMARC Report Monitoring is the Key

DMARC report monitoring is the overviewing of your domain’s email activity to identify unauthorized and potentially fraudulent conversations. You can also evaluate them to understand what percentage of your messages are raising false alarms. 

To get started with DMARC Reporting, book a demo. We’ll warn you when your domain’s DNS configuration changes. We’ll even tell you when your emails aren’t sent due to deliverability issues, security threats, and more. Even better, you’ll get these warnings delivered straight to your inbox.

Similar Posts