What should my DMARC policy be?

So you’re getting serious about implementing email authentication into your business. At this point you should have completed the first step of updating your SPF, and now you might be curious on how you can use DMARC to control fraudulent emails. Let’s get into each DMARC policy with specific use case scenarios.

---

Understanding DMARC Policies

Your DMARC policy is the protocol you give to your email server in the case of fraudulent or suspicious activity. When an email is flagged as potentially harmful, you have three options:

---

p=none

The ‘none’ policy is essentially a monitoring mode. With ‘p=none’, emails that fail DMARC checks will still be delivered to the recipient’s inbox, but you’ll receive valuable reports showing how your emails are handling SPF and DKIM authentication.

Use Case Scenarios:

• Initial Implementation: Perfect for when you first enable DMARC, as it allows you to gather data on your email ecosystem without impacting email deliverability.
• Data Gathering: Use this policy to identify issues with SPF and DKIM configurations and understand where legitimate emails might fail so you can fix these before enforcing stricter policies.

---

p=quarantine

This policy elevates your email security by directing messages that fail DMARC checks to the recipient’s spam or junk folder. It’s a balanced approach that protects your reputation while reducing the risk that malicious emails reach your audience.

Use Case Scenarios:

• Pre-Enforcement Stage: When you’re confident in your SPF and DKIM setup but want to mitigate risk before committing to the strictest policy.
• Sensitive Industries: Quarantine can be a test stage for sectors like finance and healthcare, where the damage from malicious emails can be significant, allowing you to check real-world impacts of stronger policies.

---

p=reject

This is the strongest stance on email security. The ‘reject’ policy instructs receiving servers to discard emails that fail authentication. This unequivocally guards against phishing and spoofing, making it the most secure option.

Use Case Scenarios:

• Mature Implementation: Best for when your DMARC setup is thoroughly vetted, and only legitimate emails pass SPF and DKIM checks.
• High-Risk Brands: If your brand is frequently spoofed or a target for phishing, such as major retail or financial enterprises, adopting ‘reject’ helps maintain trust and authority.

---

Transitioning Between DMARC Policies

At 101domain, we recommend shifting from ‘none’ to ‘quarantine’ and ultimately to ‘reject’ for best results. This mitigates the potential risk of rejecting too many emails.

1. Start with Monitoring: Use ‘p=none’ to evaluate email sending practices and gain insights from DMARC reports.
2. Shift to spam: Shift to ‘p=quarantine’ as you resolve issues identified in the monitoring phase. Examine how the policy impacts email engagement.
3. Final Enforcement: Confident with your email systems? Transition to ‘p=reject’ to fully protect your domain.

---

Monitoring and Optimization

Understanding DMARC reports is crucial for maintaining a secure and efficient email authentication system. Regular analysis of these reports helps you identify fail points and unauthorized attempts, providing insights into the effectiveness of your current setup. 

This ongoing evaluation allows you to make informed adjustments to your DNS records, ensuring your defenses remain functional. 

It’s important to remember that DMARC is not a one-time setup; continuous monitoring and policy iteration are essential to adapting to new threats and maintaining a strong email defense strategy.

---

Conclusion

Selecting the right DMARC policy hinges on your organization’s readiness and risk profile. By starting with data collection and progressively implementing stricter policies, you build a robust line of defense against email threats, safeguarding your brand integrity.