What is a DMARC Policy?

A DMARC policy allows a sender’s domain to indicate that their emails are protected by SPF and/or DKIM, and tells a receiver what to do if neither of those authentication methods passes – such as to reject the message or quarantine it. The policy can also specify how an email receiver can report back to the sender’s domain about messages that pass and/or fail.

These policies are published in the public Domain Name System (DNS) as text TXT records.

DMARC doesn’t directly address whether or not an email is spam or otherwise fraudulent. Instead, DMARC can require that a message not only pass DKIM or SPF validation, but that it also pass alignment. Under DMARC a message can fail even if it passes SPF or DKIM, but fails alignment. Setting up DMARC may have a positive impact on deliverability for legitimate senders.

What is DMARC?

DMARC helps organizations avoid spoofing and phishing of their domains. It’s implemented in organizations Domain DNS records and also protects brand reputation for sending spam and phishing emails from their domain. 

Here is an example of a DMARC record

  • v=DMARC1 – This is the identifier that indicates to the DNS that it is a DMARC record. If the domain does not have a text record starting with v=DMARC1, the receiver server will not perform a DMARC check.
  • p=none – This is to define the policy whereby DMARC checks whether the SPF and DKIM records pass or fail.
  • rua=mailto:[email protected] – this part tells the server where to send the DMARC aggregate reports. It provides daily reports, helping administrators understand what is going on with their domains.
  • ruf=mailto:[email protected]This section informs the server where to send DMARC failure reports.

What is a DMARC Policy?

A DMARC policy defines what to do with the mail if both SPF or DKIM fails – reject, quarantine or accept them. There are three options in the DMARC policy that will be described below.

  • p=none: This policy, sometimes referred to as the “monitor” policy,  does not tell the recipient to perform any action regarding unqualified mails. When a policy is set to “none”, non-approved emails may go into the recipient’s inbox.
  • p=quarantine: This policy provides that all unqualified email will be sent to the quarantine, in other words, will be sent to the SPAM folder.
  • p=reject: This policy predicts the receiver to block all emails that do not pass SPF and DKIM validations. Only emails that are sent from authorized IPs or signed with proper domain signature can be delivered to the recipient mail server. Any other unqualified emails will be discarded.

Best Practices for setting up a DMARC policy

You may wonder what is the best policy to use to obtain the best results. Most domain owners are tempted to use the Reject policy so absolutely no spam emails make it to their recipients. As the Reject policy blocks everything that is not authenticated, if you haven’t done proper monitoring and failed to whitelist or authenticate your legitimate outgoing email sources, important emails will also be rejected in the process.

EasyDMARC experts suggest starting from the “None” policy to monitor your email sources over a period of time and receive aggregate reports. With this, you can exclude important messages from the potential for rejection.

You can then escalate the policy to “quarantine” which will send unqualified emails to Spam or Junk folders. This means that all suspicious emails will land in the spam folder, but if any important emails are blocked, at least your recipient will get them.

Once you’re confident you’ve whitelisted all your email sending services, you can proceed to the “reject” policy which outright blocks unqualified emails from getting to recipients’ inboxes and makes sure that your authenticated & legitimate emails will be sent to receivers without any interruption.

Authentication and enforcement process

1. Set your DMARC policy to None (p=none).

    1. Analyze all reports and indicate which sources are legitimate and need to be configured and which phishing attacks. (Non-configured legitimate emails can be found under the Non-Compliant section of your EasyDMARC Dashboard).
      DMARC policy
      example of a dmarc policy

    2. After identifying, start the configuration process of each of your 3rd party legitimate sources (Ensure SPF and/or DKIM are passing the DMARC check).
    3. After configuring, wait for reports to arrive. (Configured legitimate sources can be found under the DMARC Compliant section).
      dmarc compliant
      dmarc compliant

    4. Once all your sources have been configured, the next step is the enforcement process.

2. Enforce DMARC policy to Quarantine (p=quarantine)

    1. In the enforcement stage, we recommend gradually increasing the percentage of the policy, starting with 25% (pct=25).
    2. Analyzing your email ecosystem and seeing how the enforcement percentage has adapted to the changes.
    3. If no changes occurred with the ecosystem, raise the percentage from 25% to 50% (pct=50).
    4. Repeat the process until you reach to Quarantine 100% (pct 100)

3. Enforce DMARC policy to Reject (p=reject)

    1. In this enforcement stage, the percentage should also start from 25% (pct=25).
    2. Analyze your reports and see how they are adapting to the changes.
    3. Raise the percentage to 50% (pct=50).
    4. Repeat the process until you reach to Quarantine 100% (pct 100)

4. Once reached to Reject 100%(pct=100) with the steps we have recommended, all your legitimate emails will pass the DMARC check and all phishing emails will be blocked (bounced).

What’s Next

DMARC configuration and enforcement process can take upwards of 3 months to a year depending on the email infrastructure, as well as, how many 3rd party sources your organization is using.

EasyDMARC Support team can guide you through the implementation and enforcement journey to ensure your organization reaches Reject policy without any issues.

Similar articles to check out:


How to Prevent Data Breaches?

How to Prevent Data Breaches?

If you run a company that relies on the internet to operate you must...

Read More
Reputational Cost of a Data Breach

Reputational Cost of a Data Breach

When the internet was created, security wasn't the main focus in any corner of...

Read More
What Should a Company Do After a Data Breach?

What Should a Company Do After a Data Breach?

No company is 100% immune to data leaks. Cyberattackers are constantly improving their methods,...

Read More