DMARC Enforcement advanced options
Updated over a week ago

What is DMARC Enforcement?

When your domain is configured for DMARC and set to an enforcement policy, email recipients will reject (block from delivery) or quarantine (move to a spam folder) any messages from senders not authorized by your enforcement policy.

The three policies that can be set in a DMARC record are p=none, p=quarantine, or p=reject. A none policy indicates no action will be taken on unauthenticated email messages. But, if the DMARC record includes a reporting address, the domain owner can use the data returned back from email receivers to understand who is sending email out using that domain.

A domain is “at enforcement” if all non-authenticating messages that appear to come from a domain — or its subdomains — will be quarantined or rejected.

The following settings are considered to be at enforcement:

p=reject [with no pct tag]

p=reject; pct=[anything]

p=quarantine [with no pct tag]

p=quarantine; pct=100

DMARC Policy tag

“p=” (policy)

The “policy” tag tells the receiver what to do with a message that fails DMARC authentication.

  • “p=none” – receiver takes no action

  • “p=quarantine” – receiver will treat the email as suspicious and send it to spam/junk folder

  • “p=reject” – receiver rejects the email (does not deliver it)

What is partial Enforcement?

By default, a DMARC policy applies to 100% of all mail unless a percentage is specified with a pct= tag. Unfortunately, if you are at p=quarantine and set a percentage less than 100, that means that some spoofed messages will still be delivered. There is no such thing as “partial” DMARC enforcement. While there are ways to use percentages usefully, don’t fall into the trap of thinking you’re fully protected if your pct= tag specifies anything less than 100%.

Subdomain Policy

The default setting for subdomains is to obey the main policy (e.g. p=reject). Sometimes in the process of getting to DMARC enforcement, domain owners focus on getting their main domain to enforcement, while postponing the work needed to bring subdomains into enforcement by setting a subdomain policy of “sp=none.” Unfortunately, this means that those subdomains can still be spoofed. Phishing emails sent from [email protected] won’t get through, but [email protected] will. To be at enforcement, subdomains need to be protected, just like the main organizational domain.

DMARC - Strict vs Relaxed alignment

The DMARC standard enables a domain owner to allow relaxed alignment or to require strict alignment. Note that there is no discernible increase in protection by using Strict mode.

Valimail does not recommend using Strict mode since there is no improvement in protection and is makes configuration and management of authentication more difficult.

Relaxed alignment is satisfied if the organizational domain is the same between the user-visible From address and either the Return Path (SPF) or authenticated signing domain (DKIM).

Strict alignment requires an exact match between the Fully Qualified Domain Name (FQDN) of the user-visible From address and either the Return Path (SPF) or authenticated signing domain (DKIM).

If strict alignment is required and the email does not pass strict alignment, the email is considered to have failed DMARC authentication for that method (SPF or DKIM).

Strict vs Relaxed alignment is specified in the DMARC record using the following tags:

aspf (for SPF)

adkim (for DKIM)

The default setting, if it is not specified in the DMARC record, is relaxed alignment. For example, the following DMARC records are equivalent:

v=DMARC1; p=none; rua=mailto:[email protected]; aspf=r; adkim=r

v=DMARC1; p=none; rua=mailto:[email protected];

Examples of Strict alignment:

  • A domain is set for strict SPF alignment as shown below:

v=DMARC1; p=none; rua=mailto:[email protected]; aspf=s;

If the user-visible From address is [email protected] and the Return Path is, the email is strictly aligned for SPF.

  • A domain is set for strict DKIM alignment as shown below:

v=DMARC1; p=none; rua=mailto:[email protected]; adkim=s

If the user-visible From address is [email protected] and the authenticated signing domain is, the email is not strictly aligned for DKIM.

Did this answer your question?