DMARC Deployment Goal: p=reject
Quarantine is not enough
With any DMARC deployment, we have the same goal. We want a strictly enforced DMARC policy by the time we are done. When we start, we simply want to gather information safely until we are confident that the an enforced policy can be used.
There are three policy types, referenced by the p= attribute of a DMARC record.
p=none;
We have a DMARC record, but we don't want the rules to be enforced at all.p=quarantine;
Anything that doesn't pass DMARC should be sent to the user's spam folder. This is the lowest "enforced" setting and gives your support staff the ability to have customers check their spam folders if an email they're expecting is missing after turning it on. By the time we get here, you won't need it.p=reject;
Don't even deliver messages that fail DMARC checks. They aren't from us.
The goal is to get to a p=reject; policy for every domain. A lot of people like the idea of sticking with p=quarantine; but this is still a dangerous place to be. Users can set email filter rules that move messages saying they are from you to specific folders and these rules will bypass the DMARC check if it's allowed to be delivered to the spam folder.
If this sounds farfetched, keep in mind that this is standard operating procedure for Business Email Compromise (BEC) scams, also known as spear phishing or whale phishing. These attacks have cost businesses $43 billion since 2016. An attacker will prentend to be a vendor, contacting your financial team frantically asking why an invoice hasn’t been paid. They’ll send an email pretending to be the irrate CEO insisting that this vendor be paid immediately.
In many cases, they’ll direct their victim to the spam folder to find the fake invoice or the fake CEO communication, “Bob told me he was going to contact you last week! Are you sure it’s not in spam or something?” Just sending messages to the spam folder isn’t enough.
Additionally, once you get to p=reject; you'll find that it's easier to keep all of your email rules up to date because nothing new will work until it's been properly configured. This helps prevent Shadow IT too.
The goal is always to get to p=reject;.
This article was originally published on as part of a 3 part DMARC Guide at Brightball.