DNS, Email authentication

When to enforce the DMARC policy to reject?

The following article covers when an organization is ready to enforce the DMARC policy. We give comprehensive guidance on how to enforce the DMARC policy and discuss whether it is always desirable to enforce the DMARC policy to reject.

What DMARC policies are available and what impact do they have on email delivery?

Within DMARC there are three different policies: none, quarantine and reject. For further information about these policies and their impact on deliverability, please refer to our article: What is a DMARC policy?

When to enforce the DMARC policy?

Before considering to enforce the DMARC policy, there has to be insight into the email channel. The ‘none’ (monitor) policy provides insight into the email channel and allows organizations to start working on correctly authenticating the sources that send out email on their behalf. We always recommend to start with the ‘none’ policy.

When all valid sources have been correctly authenticated and the compliance for these sources is nearly 100%, it is time to enforce the DMARC policy. Since all valid sources have been (nearly 100%) correctly authenticated at that point, this will not result in a loss of legitimate email. We advise to enforce the policy in small steps using the percentage tag (pct) in the DMARC record. For example, begin with a 15% quarantine policy, then increase to a 50% quarantine policy, then move to a 15% reject policy, and finally enforce the DMARC policy to full reject. Taking small steps allows an organization to enforce the DMARC policy while the risk of impacting the delivery of valid emails is minimized.

Is it always desirable to enforce the DMARC policy to reject?

However, no matter how well an organization authenticates their valid sources, it is nearly impossible to achieve 100% DMARC compliance on all valid sources. It is often seen that a very small percentage (<0.1%) of all emails from valid sources fail the DMARC checks. Depending on the total amount of emails an organization sends, 1 to 10 000 legitimate emails will be rejected when the policy is enforced to full reject.

DMARC Analyzer believes it is very important to have a domain fully secured against abuse and accepts the fact that there might be a loss of some legitimate emails because of this. Therefore, DMARC Analyzer typically recommends to move to a full reject policy. The consequences of an email not arriving are less impactful than a malicious email slipping through.

However, there are exceptions. DMARC Analyzer has experienced that there are companies for which the consequences of losing a legitimate email are more detrimental than a malicious email slipping through. Email service providers for instance, often prefer deliverability over full security. In these cases, DMARC Analyzer recommends to at least enforce a 100% quarantine policy. This will still let incorrectly authenticated legitimate emails land in the spam inbox/folder of the receiver. In doing so, no legitimate emails will be lost and the impact of malicious emails will be reduced.