What is DMARC Policy? : None, Quarantine & Reject

A DMARC policy essentially enables a domain owner to specify what to do in case an email fails both SPF and DKIM checks (i.e. whether to quarantine or reject it). The DMARC DNS record also specifies how the recipient can report back to the domain owner, in case an email fails authentication.

DMARC Policy Modes: None, Quarantine & Reject

A DMARC policy can be set to none, quarantine, or reject, depending on the level of DMARC enforcement you want to opt for. Here, p is the parameter that specifies DMARC policy: 

A none policy (p=none) is relaxed and provides zero enforcement, as every email that is received by the recipient’s email server lands into their inbox, whether or not they fail authentication.

The quarantine policy (p=quarantine)  provides DMARC enforcement as the domain owner can prompt the receiver to roll back emails into the spam folder in case the message fails DMARC authentication.

Finally, the reject policy (p=reject) ensures that all emails that fail authentication are not delivered to the receiver’s inbox, thereby providing absolute enforcement.

Which DMARC policy should you use and why?

The DMARC policy you use depends on the level of enforcement you desire and the purpose your policy will serve. Here are a few ways you can leverage your DMARC policy and its subsequent uses: 

To monitor your email channels

If you simply want to monitor your email channels, a DMARC policy at p=none is enough. This policy will however not protect you against cyberattacks. 

To protect against Phishing and Spoofing Attacks 

If you want to protect your emails against phishing attacks and direct-domain spoofing, a DMARC policy of p=reject is imperative. It provides the highest level of DMARC enforcement and effectively minimizes impersonation attacks. 

To review suspicious emails before they are delivered 

If you don’t want to outright block unauthorized emails, instead, allow your receivers to review emails that fail authentication in their quarantine folder, a DMARC quarantine policy is your best bet. 

Which DMARC policy prevents spoofing?

A DMARC reject policy is the only DMARC policy that is effective in preventing spoofing attacks. This is because a reject DMARC policy blocks unauthorized emails from reaching your receiver’s inbox, thereby stopping them from accepting, opening, and reading bad emails. 

Common errors with DMARC policies & How to fix them?

Syntax Errors 

You should be wary of any syntax errors while setting up your record to make sure that your protocol functions correctly. 

Configuration Errors

Errors while configuring the DMARC policy are common and can be avoided by using a DMARC lookup tool. 

DMARC sp policy 

If you configure a DMARC reject policy, but set up your subdomain policies to none, you will not be able to achieve compliance on all your outbound emails. 

The journey from DMARC None to DMARC Reject

To shift to an enforced DMARC policy, you need to make sure of the following: 

• That your record is valid and properly set up 
• You are not facing deliverability issues on legitimate emails 

Why do you need a DMARC Policy? 

A DMARC policy can protect against a wide range of email-based attacks at your organization. Email is the easiest way to use your brand for fraud. By using your domain and impersonating your brand, hackers can send malicious phishing emails to your own employees and customers. Not only will this compromise security in your organization, but it will seriously harm your brand reputation. 

An enforced DMARC policy (reject) at an organization helps:  
 

• Protect the brand image and reputation
• Prevent the loss of confidential data
• Prevent financial losses
• Enhance email deliverability rate
• Enhance the brand’s reliability among its partners and customer-base
• Avoid legal risks