What are the best practices for DMARC setup, including organizational and subdomain policies and reporting?

Key findings

• Unified policy: A consistent DMARC policy across your organizational domain and its subdomains can simplify management and prevent confusion, though differing policies are technically possible.
• Reporting is key: Comprehensive DMARC reporting (via the rua and ruf tags) at all domain levels is critical for identifying legitimate sending sources and unauthorized senders.
• Subdomain policy (sp): The sp tag allows you to define how DMARC should manage emails sent from subdomains, either inheriting the main policy or applying a separate one.
• Gradual enforcement: Transitioning DMARC policies gradually, from p=none (monitoring) to p=quarantine and finally p=reject, is crucial to avoid legitimate email delivery issues.

Key considerations

• Pre-authentication: Before moving to stricter DMARC policies, ensure all legitimate email senders are properly authenticated with SPF and DKIM.
• Continuous monitoring: Regularly monitor DMARC reports to catch any issues or unknown senders.
• Policy alignment: Understand the interplay between your organizational and subdomain DMARC policies to avoid unintended blocking.
• Simplified structure: Aim for a streamlined DMARC setup, centralizing records where appropriate to maintain clarity and ease of management.

Key opinions

• Clean setup preference: Many marketers prefer having the entire DMARC record within the organizational domain for a more orderly and easier-to-manage setup.
• Visibility is vital: Lack of DMARC reporting on the organizational domain is a significant concern as it can obscure unknown or unauthorized email sending activities.
• Subdomain interaction: Marketers need to understand how a p=reject policy on a subdomain might interact with a p=none policy on the main domain.
• Proactive discovery: Configuring reporting at the organizational level helps to uncover unknown email sources, such as those from various cloud services.

Key considerations

• Policy confirmation: Always verify the actual DMARC policy being enforced on your specific sending domains to ensure it matches expectations and to avoid unintended email deliverability issues.
• Comprehensive reporting: Ensure your DMARC reporting is configured to capture data from all legitimate email streams, including those from third-party marketing platforms.
• Clear structure: Prioritize a straightforward DMARC setup to reduce complexity and make it easier to maintain in the long run. See our guide on DMARC tags and their meanings.
• Policy management: Balance the need for strong security with the imperative to avoid blocking legitimate marketing and transactional emails. Our article on DMARC policy options provides further insight.

Key opinions

• Organizational reporting critical: Experts consistently emphasize that the organizational domain must receive DMARC reports for full visibility into all email traffic associated with the domain and its subdomains.
• Subdomain policy redundancy: In some cases, the sp (subdomain policy) tag may be unnecessary if the main domain's policy covers all required scenarios and reporting is correctly configured.
• Layered policies: It is permissible to have different DMARC policies at different domain levels, but robust reporting at all levels is considered essential for effective management.
• Sleuthing unknown emails: Configuring a reporting email address for the organizational domain is vital for investigating and identifying unexpected or unknown email sending sources.

Key considerations

• Prioritize reporting: Ensure DMARC aggregate reporting is correctly configured for your organizational domain to capture all inbound DMARC data.
• Subdomain strategy: Carefully consider whether a specific sp tag is truly needed for subdomains, or if inheritance from the main domain policy is sufficient and cleaner. Refer to our guide on DMARC policies for organizational domains and subdomains.
• Anomaly detection: Use DMARC reports to proactively identify and address rogue senders or misconfigurations that could impact your email deliverability and domain reputation.
• Policy enforcement: Before implementing a p=reject policy, ensure all legitimate email sources are DMARC compliant to prevent accidental email blocking. More information is available on safely transitioning DMARC policy.

Key findings

• The 'sp' tag: The 'sp' (subdomain policy) tag within a DMARC record allows domain owners to specify a distinct policy for their subdomains, which can override the main organizational domain's policy.
• The 'p' tag: The 'p' (policy) tag dictates how recipient mail servers should handle emails that fail DMARC authentication for the organizational domain, with options including 'none', 'quarantine', and 'reject'.
• DNS TXT record: DMARC records are always published as TXT records in the DNS for the domain, typically under the '_dmarc' subdomain.
• Reporting mechanisms: The 'rua' and 'ruf' tags are used to specify the email addresses where aggregated and forensic DMARC reports, respectively, should be sent for analysis.

Key considerations

• Syntax precision: Adhere strictly to DMARC record syntax, as errors like missing semicolons or invalid values can render the record ineffective. Our DMARC record examples can assist.
• Policy hierarchy: Understand the hierarchy between the main domain's 'p' policy and any subdomain-specific 'sp' policies to ensure the desired enforcement is applied.
• Report analysis: Be prepared to process and analyze the potentially large volume of DMARC aggregate reports to gain actionable insights. Consult our guidance on understanding and troubleshooting DMARC reports.
• Iterative deployment: Deploy DMARC in stages, starting with 'p=none' to monitor traffic, then moving to 'p=quarantine' and 'p=reject' as confidence grows, as outlined in the DMARC specifications.