DMARC is a custom DNS record in your public DNS zone file that tells receiving email systems how to treat an incoming email. If the sending email system is evaluated as being trusted – which can be attained by that system being included in your SPF record, or having a DKIM key, then that email can be delivered. However, if the sending email system is not regarded as trusted, then the receiving email system can be instructed what do you – based on your DMARC policy, or lack of DMARC policy.

The DMARC section of an internet message header can be a useful marker for any expert email witness who is carrying out a digital forensics investigation related to email delivery. Proof of email delivery is often an important aspect of an email forensics investigation.

Having an effective DMARC policy is especially important when you use a bulk emailing service such as Mailgun, or Blackbaud.

No DMARC Policy

As an example, if your email domain has no DMARC policy, then it would be relatively easy for a bad actor to send an email impersonating you to any external email address.

That email may get treated as junk, but it would likely be delivered. This would present a security risk, and you would likely be a victim of fraud, or brand damage.

Set a DMARC Policy | DMARC Policy Level

Having a DMARC policy in place, via a special _dmarc DNS record in your DNS zone file instructs the receiving email system how to react to an email that is not marked as trusted (via SPF and/or DKIM records).

A _dmarc policy can have four possible permuatations.

1. No _dmarc DNS record – this is the worst situation, and some email systems (eg: Google, Yahoo), are now beginning to not accept delivery to their mailboxes from an email system that has no _dmarc DNS record, as that signifies no DMARC policy is present.
2. The _dmarc DNS record has a p=none policy. This is the minimum level to set, as a dmarc policy is present, which will help your email be delivered. However, this policy mode will not help prevent a bad actor from sending out emails using any email address that uses your email domain name.
3. The _dmarc DNS record has a p=quarantine policy. The target email system is instructed to place any non trusted emails into it’s quarantine. The recipient may still receive the email though.
4. The _dmarc DNS record has a p=reject policy. The target email system is instructed to reject any non-trusted emails. An email administrator can relax this setting to allow delivery of these emails, but this is unlikely. This mode is the highest level of protection.

DMARC Policy vs Shadow IT

It is important to move to a p=reject DMARC policy as soon as you can. However, this is not always easy to achieve quickly, due to the large number of business systems that have been configured to send emails out using your email domain name. Often, “shadow IT” has resulted in unapproved systems being used by your staff that would break if you moved to a p=reject mode.

An example would be Mailchimp, which is a marketing mail-out tool that anyone can sign up for with their email address. If Mailchimp has not been included in your SPF/DKIM setup, then moving to a dmarc p=reject policy will cause the emails sent by Mailchimp to external addresses, to likely not be delivered, as the receiving email system will reject them.

Hire Rob Walton | Move to DMARC Reject Policy

Use my email security expert consulting services to assess your DMARC status, and help you safely navigate to a DMARC p=reject mode. If you do not move to DMARC p=reject mode then you are deciding to not reduce the risk of an email impersonation (spoof) attack – against your staff, and against your supply chain. Contact me for a discussion about your DMARC requirements, and how you can protect all your public domain names with a DMARC reject policy.