In this post, we'll provide a comprehensive guide on DMARC policies, including what they are, how to set them up, the different types of DMARC policies available, and when to use each one.
At its core, a DMARC policy is a way to instruct email receivers on what to do with potentially fraudulent or illegitimate emails. This policy dictates whether the receiver should accept, quarantine, or reject such emails.
There are three types of DMARC policies that you can implement. The first is the Monitor policy, denoted by "p=none". This policy allows unqualified emails to reach the recipient's inbox or other folders without being flagged.
The second policy is the Quarantine policy, denoted by "p=quarantine". This policy instructs email receivers to send unqualified emails to the recipient's junk or spam folder.
The third and most strict policy is the Reject policy, denoted by "p=reject". This policy blocks unqualified emails from reaching the recipient's inbox altogether.
In this guide, we'll walk you through the steps of setting up a DMARC policy, explain the different policies in detail, and help you diagnose and fix any issues that may arise. With this information, you can ensure that your emails are delivered safely and securely to your intended recipients.
DMARC is a vital email authentication protocol that helps prevent fraudsters from spoofing your domain. It works in tandem with other protocols such as SPF (Sender Policy Framework) and DKIM (DomainKeys Identified Mail) to verify the authenticity of an email.
The primary function of DMARC is to help email receiver systems identify unauthorized emails that aren't coming from an approved domain. It achieves this by providing receiver systems with clear instructions on what to do with such emails.
These instructions, also known as policies, are published in the DNS of the domain in question as a TXT record. By implementing DMARC policies, you can help safeguard your domain and ensure that your emails are delivered securely to your intended recipients.
If you haven't set up a DMARC policy yet, don't worry. You can generate your DMARC record or follow our step-by-step DMARC setup guide below. However, please keep in mind that you'll need to have SPF and/or DKIM already deployed for at least 48 hours before setting up DMARC.
On the other hand, if you already have a DMARC record in place and want to make changes to your policy, all you need to do is edit it in your DNS. You can check your DMARC record to see what policy
is currently active. Your DMARC record in your DNS should look something like this: V=DMARC1; p=reject; rua=mailto:dmarc-feedback@
In the example above, the policy is set to "p=reject". This means that any unauthorized emails will be blocked from reaching the recipient's inbox altogether. With a DMARC policy in place, you can be confident that your email domain is secure and that your emails are delivered safely to your recipients.
In the example above, the policy is set to "p=reject". This means that any unauthorized emails will be blocked from reaching the recipient's inbox altogether. With a DMARC policy in place, you can be confident that your email domain is secure and that your emails are delivered safely to your recipients.
There are three DMARC policy options to choose from:
However, it can be challenging to decide which policy to implement. Many people are tempted to go straight to “p=reject” to ensure that no spam emails reach their recipients. However, using the “reject” policy blocks everything that DMARC doesn't recognize, which can include legitimate emails that have not been whitelisted. This is why it's crucial to whitelist every email-sending service before implementing the "p=reject" policy.
To ensure a smooth DMARC implementation, it's recommended to start with the “p=none” policy, which is also known as the “monitor” policy. This policy instructs the email provider to take no action if an email fails DMARC. Instead, it begins monitoring emails sent from your domain and sending you reports. This will help you identify which sources are authentic, and which ones may not be, without affecting deliverability.
After monitoring your emails, you can move up to the “p=quarantine” policy, which moves suspicious emails to the recipient's spam or junk folder instead of their inbox. This option means that the suspicious emails are still delivered, but they are routed to the spam folder.
Once you have whitelisted all of your email-sending services and are confident that only legitimate emails are being sent, you can escalate to the “p=reject” policy, which blocks any unauthorized emails from reaching your recipient's inbox. However, it's essential to be cautious while implementing this policy because if any legitimate emails are not whitelisted, they will also be blocked.
When whitelisting your email-sending services, be sure to include your corporate email system (e.g. Office 365, Microsoft Exchange, or Google Workspace), email marketing platforms, marketing automation platforms, sales/CRM platforms, customer support platforms, HR and other employee SaaS platforms, and anything else that sends emails.
In summary, while implementing DMARC policies, it's essential to take a cautious approach and begin with the "p=none" policy before escalating to "p=quarantine" and "p=reject". By doing so, you'll have a better understanding of your email flow and ensure that only legitimate emails are delivered to your recipients.
To set up DMARC correctly, you should have SPF and DKIM authenticated messages for at least 48 hours. Once you have done that, you can follow these DMARC setup steps to add DMARC to your DNS.
Step 1: Create a DMARC Record
Simply use the tool to create a TXT record that looks something like this example: V=DMARC1; p=none; rua=mailto:dmarc-feedback@yourdomain.com. This record tells receiver systems to generate and send aggregate feedback to "dmarc-feedback@yourdomain.com". The p=none tag indicates that you are only interested in collecting feedback, but you can also use p=quarantine or p=reject tags for emails that fail authentication.
Step 2: Add a DNS TXT Record
Log in to the management console of your DNS hosting provider and locate the page that allows you to add a DNS TXT record. The steps to do this can vary by provider.
Step 3: Select TXT Record Type
In the Type box, select "TXT Record Type".
Step 4: Enter "_dmarc" as the Host Value
In the Host Value box, enter "_dmarc" as the "host".
Step 5: Enter the DMARC Record in the TXT Value Box
In the TXT Value box, enter the DMARC record you created using the DMARC Record Creator.
Step 6: Save the DMARC Record
Save the DMARC record.
Step 7: Validate the DMARC Setup
To reduce the number of false positives, there are several essential steps you can take if legitimate internal emails are being marked as unqualified by DMARC. First and foremost, it is crucial to set up DMARC records to work in conjunction with both SPF and DKIM. Using both of these protocols can help resolve most DMARC issues. Additionally, you should authorize services that send legitimate emails on your behalf, including third-party senders and services that facilitate calendar invites.
However, if fraudulent emails that spoof your domains are still getting through to employee inboxes, the same essentials hold true. Failure to implement DMARC to work with both SPF and DKIM is likely to increase your false negative rate. If you have set up DMARC to leverage both SPF and DKIM and are still experiencing a high false negative rate, use our DMARC record generator to ensure the DMARC record has been set up correctly. Also, check the established enforcement level. For example, if a DMARC policy is set to "p=none," spoofed emails will be delivered without scrutiny.
It's also advisable to refrain from using an “sp” tag in your DMARC record. This tag applies the same policy from a top-level domain to all those below it. If the top-level domain is set to "p=none," "p=quarantine," or "p=reject," the same will be true of all domains below it. This increases the likelihood of false positives and false negatives depending on the settings. It's best to implement DMARC separately for each individual domain.
It's essential to note that while major email providers like Gmail and Outlook support DMARC, not all receiving servers perform a DMARC check. In some cases, the receiving server may override a DMARC check and instead implement its local policy.
A Guide to Analyzing and Interpreting DMARC Reports
After you've published your DMARC record, receiving ISPs will send you daily DMARC reports containing valuable information about the authentication status of emails sent on behalf of your domain. These reports can help you identify domains used to send unauthorized emails, the sending IP, the number of emails sent on a specific date, the authentication result for SPF and DKIM, and the DMARC result, among other data points.
No matter which policy you choose, you will receive DMARC reports that include:
"p=none": This policy sends DMARC authentication results to the email address specified in your DMARC record. You will also see the email source and possibly the IP address.
"p=quarantine": In addition to the data included in the "p=none" report, this policy quarantines emails that fail DMARC authentication in a spam or similar folder.
"p=reject": This policy prevents emails that fail DMARC authentication from landing in the inbox. Some mailbox providers may also include detailed forensic reports for failed emails.
However, DMARC reports are delivered in XML format and may be difficult to interpret manually. To make the most of these reports, it's recommended that you use a DMARC report aggregator and analyzer to help you understand and analyze the data. These reports will help you diagnose which fraudulent emails haven't been blocked and which legitimate emails were blocked, enabling you to fine-tune your DMARC settings and improve your email authentication.
Keywords: DMARC, Email, email deliverability
