Skip to content

DMARC Guidance

DMARC Policy Settings

DMARC has three policy settings: none, quarantine, and reject. These settings determine what happens to messages that fail DMARC authentication.

  • none: No action is taken. This is the default setting. If you are just starting with DMARC, use this setting to monitor your email traffic and discover all the sources of email that are sent on behalf of your domain.
  • quarantine: Messages that fail DMARC authentication are sent to the spam or junk folder. Most email providers support this setting.
  • reject: Messages that fail DMARC authentication are rejected. This is the most secure setting and you should plan to reach this state eventually. Be aware that some email providers treat reject the same as quarantine.

DMARC also has domain and subdomain policy settings. Domain Policy p= is the policy that applies to the domain itself, and Subdomain Policy sp= is the policy that applies to all subdomains of the parent domain. If you do not specify a Subdomain Policy, then Domain Policy will be used for all subdomains.

You can create specific DMARC records for subdomains if you want to have different policies for different subdomains or want to override the subdomain policy set on the parent domain.

Journey to Rejection

Ultimately, your DMARC policy should reach a reject setting with all senders passing DKIM checks with alignment and passing SPF (with alignment where possible). This ensures that only email that is sent from your authorised sources is delivered to the recipient's inbox and any other email is rejected.

The journey to a reject policy is a gradual process. Depending on your organisation, it can take months to reach a reject policy. For example your organisation may have many third-party services that send email on behalf of your domain such as accounting systems, marketing platforms, customer support systems, and so on. Each of these services will need to be configured to send email that is aligned with your DMARC policy.

Start with a none policy to discover all senders using your domain. Using the VerifyDMARC Dashboard and Senders pages, work on all sources of email (that are legitimate) to ensure they are using DKIM and sending from sources that are authorised by your SPF record.

Sometimes you're faced with a situation where a service is sending legitimate email from your domain but cannot support DKIM. In this case you have to rely on SPF pass and alignment only. In the context of DMARC, SPF pass doesn't just mean SPF pass, it means SPF passed AND the envelope from AND header to domains are all aligned. So you may be passing SPF in the literal sense, but it is not a DMARC SPF pass. See further down about dealing with authorised but non-compliant sources.

Dealing with Low Compliance

If you have a low Compliant %, you should use the View Senders link on the Dashboard to see where messages are originating from for your domain. This will help you identify authorised but not correctly configured sources of email, as well as unauthorised sources of email. See the Senders page for more information.

If you had a high Compliant % and it has dropped, you may have a new source of email that is not correctly configured e.g. shadow IT. You should review the Senders page to identify the source of the problem and work to implement DKIM and SPF alignment for that source.

Dealing with Authorised but Non-Compliant Sources

All organisations have technical debt and sometimes legacy systems just cannot support DKIM or reliably pass SPF checks with alignment. Consider reconfiguring these systems to send via a third-party SMTP service that can sign email with DKIM on your behalf. If the system does not support SMTP authentication, use an SMTP service that supports IP authentication.

Dealing with Unauthorised Sources

The best way to deal with unauthorised sources of email is to set your DMARC policy to reject. Although you can settle for quarantine, some users may still retrieve convincing emails impersonating your organisation from their spam or junk folder. Some mail receivers treat reject and quarantine the same.

Dealing with Parked Domains

If you have parked domains that do not send email, you should add these domains to VerifyDMARC and set up DMARC records for these domains with a policy of reject, and an empty SPF record with a -all mechanism e.g. v=spf1 -all. This will prevent these domains being used to conduct impersonation attacks, especially as parked domains are often variants on your brand name.

Toggle the parked flag on in VerifyDMARC on the Domains page to ensure they are setup correctly and be notified if their state changes.

DMARC Strict vs Relaxed Alignment

DMARC has two alignment modes: strict and relaxed. The default is relaxed. There is limited additional protection gained by using strict mode and a higher burden of administration. You can enable strict alignment if you understand the implication by adding adkim=s and/or aspf=s tags to your DMARC record.

References