DNS, Email authentication

How to choose the right DMARC Policy to protect your email channel

With almost 5 billion email accounts worldwide, there’s no channel with a wider reach than the email channel. This ensures that cyber criminals like to use this channel for malicious purposes. Despite the fact that better security measures have been taken to protect this channel in recent years, the crime on this channel is increasing year by year. 95% of all hacking attacks and data breaches involve email.

Previously, only DKIM and SPF could be used to authenticate email and prevent phishing & spoofing. However, these email authentication techniques can be bypassed. This is why the email validation system DMARC was created. DMARC leverages the existing authentication techniques SPF and DKIM. With help of DMARC, domain and brand owners can get insight in the emails sent on their behalf, legitimate and malicious. Once all legitimate sending sources have been set up with the right authentication (DMARC compliant), an organization can block all other sources and get insight in attacks happening on behalf of their domains.

What is a DMARC policy?

When deploying DMARC, a DMARC record needs to be generated. This DMARC record includes a DMARC policy. A DMARC Policy tells email receivers like Microsoft (Hotmail, Live, Outlook etc), Gmail, Yahoo! and other Internet Service Providers who adopted DMARC how to handle email that fails the DMARC check. In other words: a DMARC policy influences the way email is handled.

what is a DMARC record - DMARC analyzer

How to choose the right DMARC Policy?
There are three DMARC policies which can be include in your DMARC record. Depending on the DMARC policy, emails that fail the DMARC check will be handled differently. There are three policies to choose from: p=none, p=quarantine or p=reject.

  1. Monitor policy p=none

    With the DMARC policy none, Internet Service Providers who adopted DMARC will not do anything with email that fails the DMARC check. The email just goes into the inbox / folder of the receiver. This DMARC policy can be used to start monitoring who is sending emails on behalf of a domain. When published a p=none DMARC policy Internet Service Providers which have adopted DMARC will then start sending raw XML DMARC reports. DMARC Analyzing tools like DMARC Analyzer convert these XML files into friendly readable overviews.

  2. Quarantine policy p=quarantine

    With the DMARC policy quarantine, Internet Service Providers which have adopted DMARC will put emails which are failing the DMARC check in special ‘quarantine’ folders e.g. the junk or spam folder. The p=quarantine DMARC policy influences the way email is handled, however failing emails will still arrive.

  3. Reject policy p=reject

    With the DMARC reject policy, Internet Service Providers which have adopted DMARC will reject all emails that fail the DMARC check. All these email will bounce and will not end up in any inbox folder of the receiver. The p=reject DMARC policy makes sure that emails which are failing the DMARC check will not arrive. Be aware that everything should be in place otherwise legitimate email might be blocked.

Tip: Enforce the DMARC policy in small steps

Besides the option to choose a DMARC policy, there is the possibility to choose a policy percentage. The percentage tag instructs ISPs to only apply the DMARC policy to a X percentage of the emails that fail the DMARC check. ‘Pct’ = 50 will tell receivers to only apply the ‘p =’ policy 50% of the time against emails that fail the DMARC check. NOTE: this will not work for the ‘none’ policy, but only for ‘quarantine’ or ‘reject’ policies.

Enforcing the policy in small steps allows organizations to evaluate the impact of the enforced policy. This way it can be determined if the enforcement results in a loss of legitimate email yes or no. Since the enforcement will only impact X percent of all emails, it will not result in a huge loss of legitimate email when the setup is done incorrect.

A DMARC deployment project always starts with the DMARC policy none (monitoring only). After publishing your p=none policy, DMARC reports will start dripping in. With these DMARC reports organizations can start improving the alignment of all legitimate email sources.

After aligning all legitimate email sources, organizations can slowly move towards enforcing the DMARC policy quarantine. We recommend to be enrolled in narrow steps of 5%, 10%, 25%, 50% to 100%. When on 100% quarantine, repeat the previous step with the p=reject DMARC policy. As soon as the 100% reject policy has been published, DMARC has been fully deployed. From that point on all emails that fail the DMARC check will be rejected, the domain is fully secured against phishing & spoofing attacks.