< back to blog

Optimising DMARC Policy for Maximum Protection

March 21, 2024
DMARC Protocol
Security

Introduction

Domain-based Message Authentication, Reporting, and Conformance (DMARC) is a critical email authentication protocol that helps protect email domains from unauthorised use, such as phishing attacks and email spoofing. However, simply having a DMARC policy is not enough. Optimising this policy is key to maximising your email security. This post will guide MSPs and IT teams through the steps to optimise a DMARC policy, ensuring maximum protection for their organisations or clients.

Understanding DMARC Policy Settings

DMARC policies determine how receiving mail servers should handle emails that fail DMARC checks. There are three policy settings:

1. None (`p=none`): Monitors email flow and reports failures without affecting email delivery. Ideal for starting out with DMARC.
2. Quarantine (`p=quarantine`): Moves emails that fail DMARC checks to the spam folder, increasing security while minimising the risk of legitimate emails being blocked.
3. Reject (`p=reject`): The strongest policy, instructing receiving servers to reject emails that fail DMARC checks, offering the highest level of protection.

It’s important to note that the actual treatment of a message is down to the recipient mail server. The policy you set in your DMARC record is what you prefer they do with non-compliant mail. For example, some recipient servers treat reject and quarantine the same.

Step 1: Start with Monitoring

Begin with a policy of `p=none`. This allows you to collect data on your email sending practices without impacting your email deliverability. Analyse the reports to understand which of your legitimate sending sources are not sending DMARC compliant mail.

Step 2: Identify and Authorise Email Senders

Using the data collected, identify all legitimate email sending sources. Ensure that they are properly authenticated through SPF and/or DKIM and they are aligned. This might involve updating SPF records or ensuring DKIM signatures are in place.

While only one of SPF pass/alignment and DKIM pass/alignment are required for mail from the source to be DMARC compliant, we recommend DKIM pass/alignment for mail sources where possible. It has advantages over SPF as it survives forwarding, as long as the message isn’t modified.

Step 3: Move to Quarantine

Once you're confident that all legitimate email sources are authenticated and aligned, update your DMARC policy to `p=quarantine`. Monitor the impact on email deliverability and check DMARC reports for legitimate mail sources sending non-compliant messages. This step increases security while providing a buffer to adjust misconfiguration.

Step 4: Increase to Reject

After a period of successful quarantine operation without significant issues, consider moving to `p=reject`.

Step 5: Continuous Monitoring and Adjustment

Even with a `p=reject` policy, continuous monitoring of DMARC reports is crucial. Email sending practices and partners can change, and new sources might be added without being properly configured (Shadow IT). Or existing services may become non-compliant if SPF is incorrectly updated or DKIM keys are removed inadvertently.

Regularly reviewing DMARC reports helps ensure that your email security posture remains strong without compromising email deliverability.

Common Challenges and Solutions

  • Legitimate Emails Being Blocked: Ensure all email sending services are authenticated and monitored. Adjust your SPF and DKIM records as necessary.
  • Handling False Positives: Gradually adjusting your policy from `p=quarantine` to `p=reject` minimises the risk of legitimate emails being blocked.
  • Complexity of Managing Multiple Sending Sources: Utilise DMARC reporting tools to aggregate and analyse reports, making it easier to manage and authorise multiple email sources.

Conclusion

Optimising your DMARC policy is a dynamic process that requires careful planning, gradual implementation, and ongoing monitoring. By systematically moving from monitoring to enforcement and continuously validating email sources, MSPs and IT teams can achieve a robust email security posture that significantly mitigates the risk of email-based threats. Remember, the goal is not just to have a DMARC policy in place but to optimise it for maximum protection without disrupting legitimate email communication.

TRY VERIFYDMARC FREE
Update: North Korean Actors Exploit Weak DMARC Security

Update: North Korean Actors Exploit Weak DMARC Security

In response to a recent FBI, State Department, and NSA advisory, we highlight risks of weak DMARC security and offer actionable steps to protect your organisation, customers, and suppliers.

DMARC Protocol
Security
Comprehensive & Cost-Effective DMARC for MSPs

Comprehensive & Cost-Effective DMARC for MSPs

The challenge of managing DMARC across multiple client domains has traditionally been a complex and costly affair. VerifyDMARC addresses this head-on by offering a unified, cost-effective solution.

MSP
VerifyDMARC
Don't Forget About Your onmicrosoft.com Subdomain

Don't Forget About Your onmicrosoft.com Subdomain

Every Microsoft 365 tenancy includes an onmicrosoft.com subdomain, these are rarely used for business communications but need to be part of your DMARC strategy so they do not get exploited.

Mail Providers
Security