2017/07/13 by Willem Stam.
Choosing the right DMARC policy
Publishing DMARC records is more popular than ever. Even among those that don’t have domains related to sensitive fields, such as financial institutions, that are vulnerable to abuse. Have you thought about the policy that underpins your objectives for DMARC? Do you even have clear objectives for DMARC?
DMARC requires three policies: none, quarantine and reject. It is advisable to know the risks and the impact of each of these policies before deciding on which to implement.
It is always advisable to use the none policy when first setting up DMARC. This policy will not impact delivery and will not protect you from others abusing your domain. The purpose of this policy is to gather information on the use or abuse of the From header domain. This is done through the automatic reports sent by providers. This policy is useful for making inventories of legitimate hosts and for checking the alignment and authentication results of these hosts.
Once this is done, the next logical step is to implement the quarantine policy. This policy will advise the provider to send the email directly to the junk folder should DMARC fail. Note that we write advise. People often assume that the policy is definitive. It isn’t. In most cases, the provider will follow the policy, but it can override the policy if it has reason to do so. One example of a provider overriding the policy is if Google detects a false-positive. A quarantine policy may protect you, but a phishing attack will reach the recipient’s junk folder. However, the quarantine policy should ensure that all legitimate emails reach their final destination.
The reject policy is the strictest of the three options. If an email does not pass the DMARC check, it will be rejected. The recipient will never see the email. In the case of a false-positive, the email will also be rejected. This means that senders will have a certain percentage of legitimate emails that never reach the intended recipient.
Ultimately, most people set the DMARC policy to reject. But after reading the risks and impact of each policy, is this really what you want?
A reject policy does have consequences, given that there are almost always some false-positives that will cause legitimate emails to be blocked. Choosing between quarantine and reject could be interpreted as ensuring that legitimate emails make it through vs preventing recipients from receiving spoof email messages.
Match your policy with your business profile
In conclusion, the risks and the nature of the company’s business will determine which policy it chooses. Financial institutions are recommended to carefully progress towards a reject policy, while companies that are senders of low risk brands are advised to rethink their options and stay with the quarantine policy. These latter companies will still benefit from DMARC because alignment is key. If their From header domain matches their envelope sender and DKIM signing domain (d=), they have already moved up a notch in terms of better deliverability.