Skip to main content
Security Performance Management
Continuous Monitoring
Vendor Risk Management
Trust Management Hub
Cyber Insurance
National Cybersecurity

Setting a DMARC Policy

Ingrid

⇤ DMARC

This risk vector is non-graded. It is assigned an N/A grade.

When setting a DMARC policy for a domain, we recommend the following:

  • Start from no enforcement or limited enforcement and then gradually going into full enforcement.
  • Though no enforcement and limited enforcement allow for the delivery of spoofed emails and does not result in a GOOD finding grade, they can still ensure that the defined policy is not preventing legitimate emails from being delivered. Learn how DMARC findings are graded.
  • Use the rua and ruf DMARC tags for reporting during initial stages to allow for verifying the effectiveness of the policy. However, reporting is not mandatory for an effective policy and for a GOOD finding grade.

No Enforcement

To avoid inadvertently blocking legitimate email in the initial rollout, use a passthrough policy (p=none) and configure reporting (rua=mailto:example@company.com). This allows for the monitoring of authentication statistics without actually acting upon authentication failures.

Grading

Since no enforcement is ineffective and does not protect against spoofing, it is graded BAD.

Example

v=DMARC1; p=none; rua=mailto:example@company.com

Limited Enforcement

Use an active DMARC policy (p=quarantine or p=reject) and have it act on only a subset of illegitimate emails from the domain (pct=10).

Grading

While not discarded, such emails are forwarded to a spam or junk folder or are otherwise marked to indicate the authentication failure to the recipient. However, some confirmed fraudulent emails can end up being delivered since the pct tag specifies a value less than 100.

  • The best grade when using a non-maximum pct value is FAIR.
  • The best grade when using pct≤50 is WARN.

Example

The following record tells mail servers to apply the quarantine policy to 10% of all emails that fail DMARC.

v=DMARC1; p=quarantine; pct=10; rua=mailto:example@company.com

Full Enforcement

While reporting is essential for the passthrough policy (p=none), it is optional for active policies.

Grading

For DMARC records to be graded GOOD:

  • An active policy must be used (p=reject or p=quarantine) and the policy must act on all authentication failures (pct=100).
  • Any existing third-party reporting domains must be associated with a valid authorization record.

Examples

In the following record examples, the no reporting and self-reporting records are graded as GOOD. The third-party reporting record is graded GOOD as long as thirdparty.com authorizes company.com by way of an authorization record and is set to v=DMARC1;.

no reporting:

v=DMARC1; p=quarantine

self-reporting:

v=DMARC1; p=reject; rua=mailto:example@company.com

third-party reporting:

v=DMARC1; p=reject; rua=mailto:example@thirdparty.com
Was this article helpful?
13 out of 16 found this helpful
Return to top

Related articles

Feedback

0 comments

Please sign in to leave a comment.