To be fully successful in a DMARC deployment, it is imperative that you check inbound email messages for DMARC compliance. Doing so will protect your employees from spoofing attacks from other domains as well as enforce your own domain's DMARC rules. This article outlines the process of setting up policies within the Proofpoint Secure Email Gateway that will greatly increase your protection from email attacks.
Configure PPS to enforce DMARC on all inbound email, but do it in audit/simulated mode so you can evaluate exactly what email you’ll block.
- Enable the DMARC module and turn on ARC if desired (Off by default): Email Protection > Email Authentication > DMARC > General
- Enable the SPF/DKIM modules if not already enabled
- Restrict processing for each module (and the Default DMARC Policy) to Policy Route default_inbound
- Create a Quarantine folder called dmarc_failures
- Configure the reject and quarantine rules associated with the Default DMARC Policy to Quarantine messages (to folder dmarc_failures) and Continue
- Consider remaining in this mode for a few weeks to identify authentic email (that you’ll block) requiring exceptions.
- Identify any authentic email accumulating in the dmarc_failures Quarantine folder
- Alternatively, EFD customers can click on domains with DMARC failures under: Domain Summary > Your Domains / Third Party Domains with filters:
- Message Destination = <Your Gateway>
- DMARC policy = Reject / Quarantine selected
- Configure PPS to enforce DMARC, but accommodate the exceptions identified above
- Create a Policy Route called dmarc_exceptions
- Define Policy Route conditions that meet the criteria of authentic email requiring exceptions (for example, list IP address, or list IP address in combination with sending domains)
- Update the Default DMARC Policy by disabling processing of Policy Route dmarc_exceptions
- Update the Default DMARC Policy reject rule to Reject (instead of Continue) and quarantine rule to Discard (instead of Continue)
- Ensure the SPF / DKIM modules aren’t configured to block any email (this will now be done by the DMARC module)
- Maintain / update your list of exceptions