When setting a DMARC policy for a domain, we recommend the following:
- Start from no enforcement or limited enforcement and then gradually going into full enforcement.
- Though no enforcement and limited enforcement allow for the delivery of spoofed emails and does not result in a GOOD finding grade, they can still ensure that the defined policy is not preventing legitimate emails from being delivered. Learn how DMARC findings are graded.
- Use the
rua
andruf
DMARC tags for reporting during initial stages to allow for verifying the effectiveness of the policy. However, reporting is not mandatory for an effective policy and for a GOOD finding grade.
No Enforcement
To avoid inadvertently blocking legitimate email in the initial rollout, use a passthrough policy (p=none
) and configure reporting (rua=mailto:example@company.com
). This allows for the monitoring of authentication statistics without actually acting upon authentication failures.
Grading
Since no enforcement is ineffective and does not protect against spoofing, it is graded BAD.
Example
v=DMARC1; p=none; rua=mailto:example@company.com
Limited Enforcement
Use an active DMARC policy (p=quarantine
or p=reject
) and have it act on only a subset of illegitimate emails from the domain (pct=10
).
Grading
While not discarded, such emails are forwarded to a spam or junk folder or are otherwise marked to indicate the authentication failure to the recipient. However, some confirmed fraudulent emails can end up being delivered since the pct tag specifies a value less than 100.
- The best grade when using a non-maximum pct value is FAIR.
- The best grade when using pct≤50 is WARN.
Example
The following record tells mail servers to apply the quarantine policy to 10% of all emails that fail DMARC.
v=DMARC1; p=quarantine; pct=10; rua=mailto:example@company.com
Full Enforcement
While reporting is essential for the passthrough policy (p=none
), it is optional for active policies.
Grading
For DMARC records to be graded GOOD:
- An active policy must be used (
p=reject
orp=quarantine
) and the policy must act on all authentication failures (pct=100
). - Any existing third-party reporting domains must be associated with a valid authorization record.
Examples
In the following record examples, the no reporting and self-reporting records are graded as GOOD. The third-party reporting record is graded GOOD as long as thirdparty.com
authorizes company.com
by way of an authorization record and is set to v=DMARC1;
.
no reporting:
v=DMARC1; p=quarantine
self-reporting:
v=DMARC1; p=reject; rua=mailto:example@company.com
third-party reporting:
v=DMARC1; p=reject; rua=mailto:example@thirdparty.com
Feedback
0 comments
Please sign in to leave a comment.