How should I enforce DMARC policies for a bulk sender with p=none?

Key findings

• Initial stage: The p=none policy is solely for monitoring and collecting DMARC reports, not for enforcement. It provides visibility into who is sending email purporting to be from your domain, whether authorized or unauthorized.
• Prioritize authentication: Before moving to an enforcement policy, it is critical to ensure all legitimate email sending sources are properly authenticated with SPF and DKIM and achieve DMARC alignment.
• Spoofing vs. legitimate traffic: Many flagged emails under p=none might be legitimate but unauthenticated sending services (e.g., 'shadow IT'), not necessarily malicious spoofing. These must be identified and configured correctly.
• Bulk sender requirements: New requirements from major mailbox providers like Gmail and Microsoft mandate that bulk senders publish a DMARC record with at least p=none.
• Phased rollout: A gradual transition from p=none to p=quarantine and then to p=reject is widely recommended to mitigate risks to deliverability.

Key considerations

• DMARC reporting service: Utilizing a DMARC reporting service is essential for interpreting the complex XML reports generated by mailbox providers, making it easier to identify and address authentication issues.
• Apex domain vs. subdomains: If a domain is used for multiple purposes (e.g., business communications, marketing, transactional), consider using subdomains for different email streams. This allows for more granular DMARC policies, reducing the risk of disrupting critical business email. Implementing p=reject at the apex domain can break common business use of email.
• Monitoring duration: Monitor with p=none for at least a month, or until you are confident that all legitimate sending sources are authenticated and aligned, and no unexpected legitimate traffic is failing DMARC.
• Risk assessment: The decision to move to enforcement and the speed of transition depend on the client's risk tolerance for potential non-delivery of a small subset of legitimate emails.
• Quarantine vs. reject: While p=quarantine and p=reject have different instructions for receiving servers (send to spam vs. reject entirely), for most practical purposes, mail failing authentication with either policy will not reach the inbox.

Key opinions

• Address issues proactively: It is better to identify and resolve issues with probable spoofers or unauthenticated legitimate sources while the DMARC policy is still set to p=none. This allows for necessary adjustments without immediate negative impacts on deliverability.
• Complex domain usage: When a domain is used for a variety of email types, such as general business communications, marketing, and transactional emails, the DMARC implementation becomes more complex. Each type of traffic needs careful consideration regarding its authentication.
• Impact on open rates: Maintaining good open rates is a primary concern. Marketers aim to prevent legitimate emails from being sent to spam or rejected due to DMARC enforcement.
• DMARC report interpretation: Understanding and interpreting DMARC reports can be challenging, especially for those new to deliverability. A dedicated DMARC reporting service is highly beneficial.

Key considerations

• Authentication first: The fundamental advice is to authenticate all legitimate sending sources before contemplating a move to a stronger policy like p=quarantine or p=reject. This ensures known good mail flows correctly.
• Subdomain strategy: For domains with multiple email uses, particularly for marketing and transactional emails, consider sending from subdomains. This allows for more granular and safer DMARC enforcement.
• Using an external service: If unfamiliar with reading DMARC reports, sign up for a service that simplifies interpretation and assists in the journey towards enforcement. For bulk senders, compliance with requirements from providers like Microsoft is key; they require at least a p=none DMARC policy.
• Continuous monitoring: Even after moving to enforcement, continuous monitoring of DMARC reports is essential to catch any new legitimate sources or configuration issues. You can learn more about how DMARC improves email deliverability on our site.

Key opinions

• Authenticate first, then enforce: The primary step is to authenticate all legitimate sources sending mail from your domain. Only after this is complete and verified can enforcement policies be safely applied.
• Identify 'shadow IT': A crucial part of the p=none monitoring phase is identifying any legitimate email sources that are not yet authenticated (often referred to as 'shadow IT'). These unauthenticated legitimate sources will show up as failures in DMARC reports.
• Apex domain risks: Applying a DMARC p=reject policy to an apex domain that handles diverse email types (e.g., business communications, marketing, transactional) carries a significant risk of breaking legitimate email flows.
• Policy similarity: In practice, DMARC's p=quarantine and p=reject policies often behave similarly regarding non-delivery of unauthenticated mail. While one directs to spam and the other rejects, both prevent the message from reaching the primary inbox.

Key considerations

• Use a DMARC reporting service: Given the complexity of DMARC aggregate reports, using a specialized DMARC reporting service is highly recommended for accurate interpretation and to guide the path to enforcement. You can also monitor your DMARC reports from Google and Yahoo.
• Monitor for sufficient duration: Experts suggest monitoring at p=none for at least one month, or longer if significant unauthenticated legitimate traffic is still being discovered. The duration should be based on confidence that all sources are identified.
• Subdomain implementation: If marketing and transactional emails are sent from subdomains, it is strongly recommended to treat these subdomains separately from the apex domain in terms of DMARC policy. This offers greater control and minimizes risk.
• Phased enforcement: Once satisfied with the p=none data, the next step is to 'pull the trigger' and move to a stronger policy. This transition should be managed carefully, continuously reading reports to catch any unforeseen issues. Mailgun provides a guide on how to implement DMARC policies.

Key findings

• Monitoring policy: The p=none policy is specifically designated for monitoring purposes. It allows domain owners to observe unauthenticated email traffic without taking any enforcement actions like quarantining or rejecting messages.
• Bulk sender requirements: Leading mailbox providers such as Google and Microsoft now require bulk email senders to publish a DMARC record with at least a p=none policy, alongside proper SPF and DKIM authentication.
• Phased enforcement encouraged: Official guidelines recommend a gradual progression of DMARC policies: starting with p=none, moving to p=quarantine, and finally to p=reject. This measured approach helps prevent disruption to legitimate email.
• Alignment is key: Successful DMARC implementation hinges on ensuring that emails pass either SPF or DKIM authentication and that these authenticators are properly aligned with the domain in the 'From' header.

Key considerations

• Data collection: The p=none policy allows for critical data collection on email sending practices without any impact on email delivery. This data is vital for identifying all legitimate sources.
• DMARC record publication: The initial step is always to publish a DMARC record, even if it is just at p=none. This signifies the domain's intent to implement DMARC and begin receiving reports.
• Ensuring SPF and DKIM: Before strengthening the DMARC policy, it is imperative to ensure that all legitimate email is properly authenticated with SPF and DKIM, and that these records are correctly configured and aligned.
• Long-term goal: While p=none is a starting point, the ultimate goal for strong brand protection is to move towards p=quarantine or p=reject to mitigate spoofing and phishing risks. This transition should be undertaken carefully, as outlined in guides such as DuoCircle's use cases for DMARC policies.