A DMARC Policy informs email receivers and other Internet Service Providers who adopt DMARC for understanding the procedure that is to be followed in case an email fails the DMARC check. These policies help...
In 2018, the U.S. federal government mandated that all agencies must implement DMARC policies by October 2018. However, only more than half of the agencies enforced DMARC policies.
So why does the government stress implementing DMARC policies?
A DMARC policy informs email receivers and other Internet Service Providers who adopt DMARC for understanding the procedure that is to be followed in case an email fails the DMARC check. These policies help in preventing your email domain from email spoofing.
Join our weekly newsletter and get the latest cybersecurity updates delivered directly to your inbox
These policies also give an insight into reports on what is being sent from your domain and how receiving hosts are treating that email. Mainly, there are three DMARC policies including None, Quarantine, and Reject. If the policy is set as:
p = none
The mailbox provider does not act on emails that fail DMARC in your email domain. The email simply goes into the inbox of the receiver. The domain owner can use the data of the DMARC reports to know about those who are sending emails on the behalf of their domain.
Once the domain owner thoroughly analyses these reports, they can set the policy to ‘Quarantine’. Setting DMARC policy at p=none provides protection equivalent to an email domain without a DMARC record.
p = quarantine
With QUARANTINE, email receivers are instructed to scrutinize emails that have failed the DMARC check. It depends on the individual receiver to set a quarantine policy accordingly. This may include:
Email is sent to the spam folder: In case the email receiver hosts the recipient’s mailbox, the receiver can deliver non-compliant emails into the recipient’s spam folder.
Quarantining the email: An email receiver can quarantine emails that have failed DMARC for performing a detailed analysis of the email. Once the email has been analyzed, the email can be removed from quarantine.
p = reject
The strictest policy is REJECT where email receivers are instructed to reject all emails that fail the DMARC check. The rejected emails bounce back and will not be sent to the receiver.
It is important to set the ‘reject policy’ even though your email domain is secured but it will also block emails that are sent from your domain in case you forget to whitelist them.
With the help of policies set in DMARC records, domain owners can keep track of all the emails that have been set to their domain. It ensures that a genuine email is being properly authenticated against an established set of standards. The record also blocks fraudulent activities that appear to be coming from domains that are under the organization’s control.
Without DMARC policies, Internet Service Providers receive too many emails. In the absence of a DMARC policy, ISPs will have to make delivery decisions. Lack of email authentication harms email deliverability.
These emails are also blocked by ISPs. With third-party DKIM signatures or mismatched ‘MAIL FROM’ and ‘From: headers’, many problems might arise due to email deliverability.
Email services do not reject all emails that fail DMARC. However, if an email is signed with your own keys; aligning headers and setting the DMARC policy of your email domain will ensure that your emails are successfully delivered, hence, effectively enhancing the email deliverability.
With the DMARC record generator and analyzer toolTDMARC, DMARC policies can be properly aligned as per the requirement of an email domain.