Open in app

Sign in

Write

Sign in

How to Protect Your Sender Domain with DMARC: 3 Steps to DMARC Enforcement

GlockApps (G-Lock Software)
4 min readFeb 25, 2021

There is no other channel with such a wide audience reach than email. That is why legal business owners are using email to reach out to their clients and subscribers, and that is why spammers like to use email for malicious purposes. Hacking and phishing attacks in the email are increasing year by year.

The good thing is that there is a mechanism that allows email senders to protect their domains from misuse.

Why Deploy DMARC?

DMARC has been introduced to tie SPF and DKIM and to secure legitimate email senders and their recipients from email spoofing attacks.

DMARC stands for Domain-Based Message Authentication, Reporting, and Conformance. It is a mechanism of authenticating an email message to prove that it really comes from the sender it claims.

The DMARC authentication is done based on the two other methods SPF and DKIM and is implemented by adding a DMARC TXT record to a domain’s DNS.

Implementing DMARC is a must-have for the three main reasons:

  1. Email authentication.
  2. Domain protection.
  3. Email traffic visibility.

Read more: What is DMARC: Email Security with DMARC, SPF, and DKIM

What are DMARC Policies?

Not only does DMARC allow email senders to authenticate their emails, but it also allows to instruct email receivers (AOL, Outlook, Yahoo! Mail, Gmail, and other Internet Service Providers) what to do with an email if it doesn’t pass a DMARC check. This way, you can tell the ISP to send an email pretending to be coming from you to the recipient’s spam folder or to block it at a gateway.

For this purpose, DMARC has three policies:

  • None (p=none). This policy tells Internet Service Providers who adopted DMARC to do nothing with an email that failed the DMARC check. The email just goes to the Inbox or Spam folder of the receiver depending on how the ISP’s spam filters treat the email.
  • Quarantine (p=quarantine). This policy tells Internet Service Providers to put emails that failed the DMARC check in a special ‘quarantine’ folder — Junk or Spam.
  • Reject (p=reject). This policy tells Internet Service Providers to reject all emails that failed the DMARC check. These emails will not land in any folder of the receiver.

In the DMARC record, you can also set a policy percentage. The percentage tag (pct=) instructs ISPs to only apply the DMARC policy to the specified percentage of the emails that fail the DMARC check.

For example, ‘pct=10’ will tell email receivers to apply the policy 10% of the time against emails that fail the DMARC check. The percentage works only for the ‘quarantine’ and ‘reject’ policies.

Example of a DMARC record with the ‘p=reject’ policy and pct=10:

v=DMARC1; p=reject; pct=10; rua=mailto:ipm2mzl@ar.glockapps.com; ruf=mailto:ipm2mzl@fr.glockapps.com; adkim=r; aspf=r; fo=0;

How to Create a DMARC Record?

Creating and adding a DMARC record is simple. There are tools like GlockApps DMARC Analytics that allow you to quickly create a DMARC record. You add the DMARC record to your domain’s DNS and you are done. You send email messages from the domain and you receive DMARC reports.

GlockApps will parse each report and present the data about your email authentication in a comprehensive and user-friendly format.

Read more: How to Deploy DMARC Monitoring

Is It Necessary to Enforce the DMARC Policy to ‘Reject’?

After analyzing hundreds of DMARC reports collected by GlockApps, we found out that a lot of email senders successfully use a DMARC record but don’t advance to the stronger DMARC policy.

According to Socketlabs, 59% of senders don’t apply DMARC enforcement.

While the ‘p=none’ policy is good for a start when a sender is collecting the data about their sending sources and email authentication, the goal every email sender should be focusing on is to move to the full protection level, e.g. the ‘p=reject’ policy.

However, the fears are understandable. No matter how well a sender authenticates their valid mail streams, it is nearly impossible to achieve a 100% DMARC compliance rate on all valid senders. It is often seen that a small percentage of all email messages coming from legitimate sources fail the DMARC checks. Such failures are caused by occasional DNS issues, message forwarding, or misconfigured SPF or DKIM records when a sender moves to a different email service provider.

With that said, 1 out of 10 000 legitimate emails will be rejected when the DMARC policy is enforced to the full rejection.

Despite this, at GlockApps, we believe that it is very important to have a domain fully protected against criminal attacks and accept the loss of some legitimate emails because of the DMARC ‘reject’ policy. The consequences of a phishing attack are much more detrimental for business than a tiny percentage of undelivered messages.

How to Enforce the DMARC ‘Reject’ Policy?

Switching from a ‘none’ policy immediately to a 100% ‘reject’ policy is discouraged. As we mentioned above, DMARC allows using a policy percentage to mitigate the impact of the policy.

It is recommended to enforce the policy in small steps and evaluate the impact of the enforced policy on deliverability. Since the enforcement will only apply to the specified percent of all sent emails, it will not lead to a huge loss of legitimate emails when the authentication is set up incorrectly.

We suggest the following scenario for DMARC deployment and enforcement:

Read the full article on GlockApps blog.

Dmarc Enforcement
Dmarc Policy
Dmarc Authentication
Dmarc Record

--

--

GlockApps (G-Lock Software)

Written by GlockApps (G-Lock Software)

1K Followers

Email marketing & email deliverability tips and best practices. Are your emails getting into your customers Inbox? Find out now! https://glockapps.com

Help

Status

About

Careers

Blog

Privacy

Terms

Text to speech

Teams