What is Enforcement?
A crucial step in getting the benefits of DMARC is Enforcement.
The DMARC (Domain-based Message Authentication, Reporting, and Conformance) standard gives domain owners the ability to specify a policy (enforcement policy) for how they’d like receivers (mail gateways and servers) to handle email messages that fail authentication.
With an enforcement policy, domain owners can tell receivers to put unauthenticated messages in the spam folder or reject them entirely, thereby blocking impersonators.
Without enforcement, domain owners still get some data on who’s spoofing them, but they just watch those impersonators continue to wreak havoc, without doing anything to stop them.
A DMARC record without enforcement is like a bouncer at the front door who checks everyone’s ID, but then lets everyone in regardless of whether they’re on the guest list or not.
The Three Enforcement Policy Options
Unlike SPF or DKIM, which leave it up to the receivers to decide how to handle authentication failures, DMARC actually lets the domain owners specify what they want to happen.
In the simplest configurations, the DMARC policy is spelled out with the “p” parameter, for which there are three options:
- p=none — No enforcement; mail that fails authentication is delivered normally.
- p=quarantine — Messages that fail authentication should be quarantined. Usually this means that the messages are delivered to a user’s spam folder.
- p=reject — Messages that fail authentication should be discarded, not delivered at all. Some receivers honor this request, while others just mark failing messages as spam.
Note that p=none, or “monitor mode,” provides no enforcement. Fraudulent messages using your domain will still be delivered. This setting is intended as a “test” mode, so domain owners have a way to troubleshoot their authentication settings without the risk of legitimate messages getting blocked.
In p=none mode, domain owners can use the reports sent by mail gateways to examine what messages are being blocked and which IP addresses are sending those messages. (In principle — in reality, turning DMARC reports into actionable insights is a challenge all its own.) Armed with that information, the domain owner can then make changes to their SPF and/or DKIM settings, and potentially to the domain(s) being used by the messages, to ensure that legitimate messages authenticate. After authenticating your services and gathering data from all your sender it's time to consider moving to p=quarantine or p=reject so that mail impersonating you doesn't get to the inbox.
Whether you set the DMARC policy to quarantine or reject, you will be at Enforcement. The level is up to you. We typically recommend going to quarantine first and then moving to reject a week or two later. Some customers go straight to reject but it’s really up to you and your sending environment.
Why DMARC Enforcement Matters
If your goal is to stop phishing and impersonation attacks, you need to get to enforcement, not to remain at p=none indefinitely. A setting of p=none generates a lot of potentially useful raw data. But, it’s only with a policy of quarantine or reject that you will begin to see the anti-impersonation and anti-phishing benefits of DMARC.
At enforcement — p=quarantine or p=reject — only the authorized mail using your domain gets through. Everything else is sent to spam or is deleted without being delivered.
What’s more, DMARC at enforcement can help with deliverability. ISPs that make delivery decisions based on the reputation of the sending domain will take into account your DMARC status. We’ve seen customers whose marketing campaigns’ delivery rates increased by as much as 5 to 10 percent when they moved to an enforcement policy.
Unfortunately, most companies that attempt DMARC don’t actually get to enforcement. In our research, Valimail has found that an average of 75 to 80 percent of domains that have published a DMARC record are unable to get to enforcement. That means they either had configuration errors or, more commonly, had simply gotten stuck at p=none — often for months or even years.
Staying in monitor mode, at a DMARC policy of p=none, provides the same amount of protection as if you had no DMARC record at all.
Getting to enforcement is where the real benefits of email authentication kick in. Without it, you’re just collecting more data.
What are the Advanced Options?
These options allow you to set an enforcement policy (p=none, p=quarantine, p=reject) as a percentage of all messages.
Note: With some SEGs, such as Microsoft 365, if the DMARC policy of the sending server is p=reject, the message is placed as spam instead of rejecting it. In other words, for inbound email, Microsoft 365 treats p=reject and p=quarantine the same way.