DMARC Guidance
DMARC Policy Settings
DMARC has three policy settings: none
, quarantine
, and reject
. These settings determine what happens to messages that fail DMARC authentication.
none
: No action is taken. This is the default setting. If you are just starting with DMARC, use this setting to monitor your email traffic and discover all the sources of email that are sent on behalf of your domain.quarantine
: Messages that fail DMARC authentication are sent to the spam or junk folder. Most email providers support this setting.reject
: Messages that fail DMARC authentication are rejected. This is the most secure setting and you should plan to reach this state eventually. Be aware that some email providers treatreject
the same asquarantine
.
DMARC also has domain and subdomain policy settings. Domain Policy p=
is the policy that applies to the domain itself, and Subdomain Policy sp=
is the policy that applies to all subdomains of the parent domain. If you do not specify a Subdomain Policy, then Domain Policy will be used for all subdomains.
You can create specific DMARC records for subdomains if you want to have different policies for different subdomains or want to override the subdomain policy set on the parent domain.
Journey to Rejection
Ultimately, your DMARC policy should reach a reject
setting, combined with an SPF policy of -all
and DKIM signatures attached by all senders. This ensures that only email that is sent from your authorised sources is delivered to the recipient's inbox and any other email is rejected.
The journey to a reject
policy is a gradual process. Depending on your organisation, it can take months to reach a reject
policy. For example your organisation may have many third-party services that send email on behalf of your domain such as accounting systems, marketing platforms, customer support systems, and so on. Each of these services will need to be configured to send email that is aligned with your DMARC policy.
Start with a none
policy to discover all senders using your domain. Using the VerifyDMARC Dashboard and Senders pages, work on all sources of email (that are legitimate) to ensure they are using DKIM and sending from sources that are authorised by your SPF record.
Sometimes you're faced with a situation where a service is sending legitimate email from your domain but cannot support DKIM. In this case you have to rely on SPF pass and alignment only. In the context of DMARC, SPF pass doesn't just mean SPF pass, it means SPF passed AND the envelope from AND header to domains are all aligned. So you may be passing SPF in the literal sense, but it is not a DMARC SPF pass. See further down about dealing with authorised but non-compliant sources.
Dealing with Low Compliance
If you have a low Compliant %
, you should use the View Senders
link on the Dashboard to see where messages are originating from for your domain. This will help you identify authorised but not correctly configured sources of email, as well as unauthorised sources of email. See the Senders page for more information.
If you had a high Compliant %
and it has dropped, you may have a new source of email that is not correctly configured e.g. shadow IT. You should review the Senders
page to identify the source of the problem and work to implement DKIM and SPF alignment for that source.
Dealing with Authorised but Non-Compliant Sources
All organisations have technical debt and sometimes legacy systems just cannot support DKIM, or construct email headers in a way that breaks SPF authentication. In the absence of being able to do anything about these systems, consider reconfiguring them to send using a subdomain e.g. legacy.example.com, and then set up a specific DMARC and SPF record for that subdomain with a more relaxed configuration. This will allow you to move your parent domain to a reject
policy and still allow the legacy systems to send email.
Another option, if your application cannot support DKIM but otherwise doesn't construct email headers in a way that breaks SPF, is to use a third-party SMTP service that can sign email with DKIM on your behalf.
Dealing with Unauthorised Sources
The best way to deal with unauthorised sources of email is to set your DMARC policy to reject
. Although you can settle for quarantine
, some users may still retrieve convincing emails impersonating your organisation from their spam or junk folder. Some mail receivers treat reject
and quarantine
the same.
Dealing with Parked Domains
If you have parked domains that do not send email, you should add these domains to VerifyDMARC and set up DMARC records for these domains with a policy of reject
, and an empty SPF record with a -all
mechanism e.g. v=spf1 -all
. This will prevent these domains being used to conduct impersonation attacks, especially as parked domains are often variants on your brand name.
DMARC Strict vs Relaxed Alignment
DMARC has two alignment modes: strict
and relaxed
. The default is relaxed
. There is limited additional protection gained by using strict mode and a higher burden of administration. You can enable strict alignment if you understand the implication by adding adkim=s
and/or aspf=s
tags to your DMARC record.
References
- RFC 7489 section 3.1.1 DKIM-Authenticated Identifiers
- RFC 7489 section 3.1.2 SPF-Authenticated Identifiers