DMARC is a powerful email authentication protocol that relies on a policy system to work efficiently. Once DMARC policies are set, they help mailing engines understand how to treat emails that have failed authentication.

Publishing proper DMARC policies gives you better control over your email traffic and provides insights into your email channel.

How does a DMARC check work?

DMARC uses the two underlying protocols of Sender Policy Framework / Domain keys Identified Mails to authenticate emails. It works on top of the existing DNS setup to perform its validity checks. The policies you wish to set for your domain are published as DMARC Records into the domain’s overall DNS records.

Have a problem with your DMARC records? Learn how to fix DMARC record errors.

For an incoming message, the DMARC protocol first validates the email headers with respect to the address in the ‘From’ section of the email. It validates the email by performing some basic checks:

1. Does the email’s DKIM signature pass authentication?
2. Is the IP address blocked in the blacklist published in the SPF records?
3. Does the address in the ‘from’ header (RFC 5322) match the address displayed in the from section of the email?

If the email cannot pass these tests, DMARC marks them for failed authentication. It then uses DNS lookup to find the DMARC policies you have set for your domain. The policies then determine how DMARC should treat the invalidated email.

If you do not set any DMARC policy, the mailing engine will not know how to treat such emails. This means potentially harmful emails will pass through to your inbox. Even if some of them will land up in the junk folder, chances of you interacting with them increase.

Understanding the DMARC Policies

There are three DMARC policies to choose from. These are none, quarantine, and reject.

P=None (Simply Monitor)

This is the preliminary policy which newly established domains typically publish. The receiving mail server will not give any special treatment to the emails failing authentication. All emails will proceed to the recipient’s inbox. You can set this policy in the initial stages to get an overall idea of how your domain is performing. DMARC will inform you how many times your domain is being misused and by whom. The key thing at this stage is to analyse the reports generated by DMARC. Then, you can move on to the next policy.

P=Quarantine (Isolate suspicious mails)

As the name suggests, setting the DMARC policy to Quarantine places all invalidated emails into a separate / spam folder. Then you can analyse these emails to find out who is sending emails on your behalf by spoofing your domain. If the sender is allowed to send emails through your domain, you can then validate quarantined emails.

P=Reject (Bounce all suspicious emails)

By setting the reject policy, you are instructing the receiving mail server to block all emails that failed authentication. Such emails won’t even reach the junk folder of the receiver. This DMARC policy provides maximum security but can also prevent perfectly valid emails from reaching the intended receivers.

Before setting DMARC policy the email traffic of your domain needs to be analyzed else your genuine emails could be blocked by recipients

For e.g., if you are using a service like Sendgrid for sending newsletters, you must carefully whitelist Sendgrid as well as your main domain.

Logix starts from p=None and gradually handholds you until you reach p=Reject

On setting the policy to None, Logix will help you gather reports from the internet. You will be able to find out exactly who is sending mails to the internet on behalf of your domain. Logix will coordinate with you and your Application Server team to identify and rectify all outbound emails. Once we observe that all email traffic is truly owned by your own legitimate domain, then we set the DMARC policy to Quarantine.

After analysing consistent DMARC performance, we move towards Reject Policy, safeguarding your email domain from abuse.

How do DMARC Policies affect Email Deliverability?

In the absence of a policy, ISPs themselves make the delivery decisions. They work to block phishing and other illegitimate messages, so their inclination is always towards rejecting failed emails. You need to have a proper policy in place so your valid emails don’t get caught in the net.

In time, total email authentication and DMARC will effectively become mandatory.

Let us take care of your DMARC for you. Know more about Logix’s DMARC Monitor.