DMARC Policy Explained

A DMARC policy conveys to the email receivers like Gmail, Yahoo and Microsoft and other ISPs who have deployed DMARC what to do with an email that fails the DMARC verification check.

As you know, DMARC is a protocol used for verifying email messages. It works with email authenticating protocols like SPF and DKIM to protect the email Domain from phishing attacks or email spoofing.

The DMARC POLICY is conveyed to the ISPs through DMARC Records, which are published into the Domain name server (DNS). Businesses can choose three kinds of policies for emails that fail the DMARC check. Let's have a look.

Monitor (p=none)

The monitor or none policy conveys the email service to let the email through without any action. This kind of policy allows the business to monitor the emails only via the DMARC report so that they can assess and analyze what kind of emails are being sent through what appears to be the business’s email address.

If the business requires a higher degree of monitoring or vetting, they can opt for the second policy; quarantine.

Quarantine policy

The Quarantine policy refers to the business directing the email service providers to divert the suspicious emails to a quarantine folder like spam or junk; that has failed the DMARC authentication. While the business can analyze the nature of the emails, it allows the recipients to analyze the email manually and then decide what they want to do with it.

Reject Policy

The third and the strictest form of policy is the Reject policy. Through this policy, the business is instructing the recipient's email service to reject all such emails that have failed the DMARC verification and stop them from reaching anywhere in the recipient's inbox.

While the Reject policy makes your emails very secure, there is always the risk of blocked valid emails if they have not been added to the whitelist. So, you need to carefully examine all individuals and sources, whether the third party authorized to use the email domain and add them to the whitelist before implementing the Reject policy.

The report or the data generated can be checked through the DMARC Analyzer to gain an insight into how the Domain is being used and who is sending email messages through the business email address.