The Purpose of a DMARC Policy

A DMARC policy enables the domain owner to convey to the recipient’s email service what to do with an email that fails the SPF (Sender policy Frame Work) and DKIM (Domain keys Identified mail) check.

The DMARC POLICY is enforced to prevent the business domain from cyber threats and avoid its email abuse by hackers and cybercriminals who may use the business's domain and send out fraudulent emails posing as a business. This not only poses a risk to the business's reputation but may also cause it to lose out on business and its clients and customers.

Let's look at the DMARC policy and how the domain owner can enforce it.

Enforcing DMARC Policy

DMARC is an email verification protocol that works with SPF and DKIM to ensure email security and verify that the email sender from a particular domain is actually who they say they are.

For DMARC to work, the DMARC Record is published into the DNS (Domain name system). The DMARC record conveys to the major ISPs that the particular domain is configured for DMARC verification. It also provides instructions or DMARC policy to the email services regarding what to do with an email that fails the DMARC check.

While emails that pass the DMARC check are allowed to be delivered to the recipient’s inbox, the emails that fail DMARC authentication are subjected to one of the three actions based on the DMARC policy instructions conveyed to the recipient’s email service by the DMARC Record.

None/Monitor policy (p=none): The email is only monitored and allowed through without any action

Quarantine policy (p=quarantine): The email is sent to a quarantine folder (spam or junk)

Reject Policy (p=reject): The email is rejected.

Here are a few things you need to consider before establishing the DMARC policy.

None or Monitor policy will only allow you to monitor emails sent from your domain. The recipient's email service will not take any action. You may implement the monitor policy to get an insight into the kind of emails being transferred via your domain and then move onto quarantine or reject Policy. At the same time, the Reject policy will reject all non-verified emails, which may also land some authentic emails being rejected. So, you may want to establish an allowlist before enforcing the Reject policy.