TABLE OF CONTENTS


What is DMARC Enforcement?


When your domain is configured for DMARC and set to an enforcement policy, email recipients will reject (block from delivery) or quarantine (move to a spam folder) any messages from senders not authorized by your enforcement policy.


The three policies that can be set in a DMARC record are p=none, p=quarantine, or p=reject. A none policy indicates no action will be taken on unauthenticated email messages. But, if the DMARC record includes a reporting address, the domain owner can use the data returned back from email receivers to understand who is sending email out using that domain.

A domain is “at enforcement” if all non-authenticating messages that appear to come from a domain — or its subdomains — will be quarantined or rejected.


The following settings are considered to be at enforcement:


p=reject [with no pct tag]

p=reject; pct=[anything]

p=quarantine [with no pct tag]

p=quarantine; pct=100



DMARC Policy tag

“p=” (policy)


The “policy” tag tells the receiver what to do with a message that fails DMARC authentication.


  • “p=none” – receiver takes no action
  • “p=quarantine” – receiver will treat the email as suspicious and send it to spam/junk folder
  • “p=reject” – receiver rejects the email (does not deliver it)



What is partial Enforcement?


By default, a DMARC policy applies to 100% of all mail unless a percentage is specified with a pct= tag. Unfortunately, if you are at p=quarantine and set a percentage less than 100, that means that some spoofed messages will still be delivered. There is no such thing as “partial” DMARC enforcement. While there are ways to use percentages usefully, don’t fall into the trap of thinking you’re fully protected if your pct= tag specifies anything less than 100%.



Subdomain Policy


The default setting for subdomains is to obey the main policy (e.g. p=reject). Sometimes in the process of getting to DMARC enforcement, domain owners focus on getting their main domain to enforcement, while postponing the work needed to bring subdomains into enforcement by setting a subdomain policy of “sp=none.” Unfortunately, this means that those subdomains can still be spoofed. Phishing emails sent from whatever@example.com won’t get through, but whatever@mail.example.com will. To be at enforcement, subdomains need to be protected, just like the main organizational domain.



DMARC - Strict vs Relaxed alignment


The DMARC standard enables a domain owner to allow relaxed alignment or to require strict alignment. Note that there is no discernible increase in protection by using Strict mode. 


Valimail does not recommend using Strict mode since there is no improvement in protection and is makes configuration and management of authentication more difficult.


Relaxed alignment is satisfied if the organizational domain is the same between the user-visible From address and either the Return Path (SPF) or authenticated signing domain (DKIM).


Strict alignment requires an exact match between the Fully Qualified Domain Name (FQDN) of the user-visible From address and either the Return Path (SPF) or authenticated signing domain (DKIM).


If strict alignment is required and the email does not pass strict    alignment, the email is considered to have failed DMARC authentication for that method (SPF or DKIM). 


Strict vs Relaxed alignment is specified in the DMARC record using the following tags:


aspf (for SPF)

adkim (for DKIM)



The default setting, if it is not specified in the DMARC record, is relaxed alignment. For example, the following DMARC records are equivalent:


v=DMARC1; p=none; rua=mailto:dmarc-alert@example.com; aspf=r; adkim=r

v=DMARC1; p=none; rua=mailto:dmarc-alert@example.com;



Examples of Strict alignment:


  • A domain is set for strict SPF alignment as shown below:


v=DMARC1; p=none; rua=mailto:dmarc-alert@example.com; aspf=s;


If the user-visible From address is sales@marketing.example.com and the Return Path is marketing.example.com, the email is strictly aligned for SPF.



  • A domain is set for strict DKIM alignment as shown below:


v=DMARC1; p=none; rua=mailto:dmarc-alert@example.com; adkim=s


If the user-visible From address is sales@marketing.example.com and the authenticated signing domain is example.com, the email is not strictly aligned for DKIM.