Domain-based Message Authentication, Reporting, and Conformance (DMARC) is a critical email authentication protocol that helps protect email domains from unauthorised use, such as phishing attacks and email spoofing. However, simply having a DMARC policy is not enough. Optimising this policy is key to maximising your email security. This post will guide MSPs and IT teams through the steps to optimise a DMARC policy, ensuring maximum protection for their organisations or clients.
DMARC policies determine how receiving mail servers should handle emails that fail DMARC checks. There are three policy settings:
1. None (`p=none`): Monitors email flow and reports failures without affecting email delivery. Ideal for starting out with DMARC.
2. Quarantine (`p=quarantine`): Moves emails that fail DMARC checks to the spam folder, increasing security while minimising the risk of legitimate emails being blocked.
3. Reject (`p=reject`): The strongest policy, instructing receiving servers to reject emails that fail DMARC checks, offering the highest level of protection.
It’s important to note that the actual treatment of a message is down to the recipient mail server. The policy you set in your DMARC record is what you prefer they do with non-compliant mail. For example, some recipient servers treat reject and quarantine the same.
Begin with a policy of `p=none`. This allows you to collect data on your email sending practices without impacting your email deliverability. Analyse the reports to understand which of your legitimate sending sources are not sending DMARC compliant mail.
Using the data collected, identify all legitimate email sending sources. Ensure that they are properly authenticated through SPF and/or DKIM and they are aligned. This might involve updating SPF records or ensuring DKIM signatures are in place.
While only one of SPF pass/alignment and DKIM pass/alignment are required for mail from the source to be DMARC compliant, we recommend DKIM pass/alignment for mail sources where possible. It has advantages over SPF as it survives forwarding, as long as the message isn’t modified.
Once you're confident that all legitimate email sources are authenticated and aligned, update your DMARC policy to `p=quarantine`. Monitor the impact on email deliverability and check DMARC reports for legitimate mail sources sending non-compliant messages. This step increases security while providing a buffer to adjust misconfiguration.
After a period of successful quarantine operation without significant issues, consider moving to `p=reject`.
Even with a `p=reject` policy, continuous monitoring of DMARC reports is crucial. Email sending practices and partners can change, and new sources might be added without being properly configured (Shadow IT). Or existing services may become non-compliant if SPF is incorrectly updated or DKIM keys are removed inadvertently.
Regularly reviewing DMARC reports helps ensure that your email security posture remains strong without compromising email deliverability.
Optimising your DMARC policy is a dynamic process that requires careful planning, gradual implementation, and ongoing monitoring. By systematically moving from monitoring to enforcement and continuously validating email sources, MSPs and IT teams can achieve a robust email security posture that significantly mitigates the risk of email-based threats. Remember, the goal is not just to have a DMARC policy in place but to optimise it for maximum protection without disrupting legitimate email communication.
Ensuring the legitimacy and accuracy of DMARC reports is critical to avoid wasting resources or making poor security decisions based on faulty data.
Protecting your email communications shouldn’t come at the expense of privacy and security for your organisation, employees, customers and suppliers.
Microsoft issued an advisory (EX765789) notifying admins some Exchange Online mail to third-party email accounts is failing, we go through the steps to fix this if you are affected.