DMARC – Enforcement Options

This is the second post in a series on DMARC.  View the whole series here.

The DMARC tag that specifies the enforcement policy is p.  This tag tells the receiver of the message what the sender would like the receiving party to do when a message fails DMARC authentication.  This policy tag has three possible values: None, Quarantine, and Reject.

• None:  The sender does not request a specific action. DMARC remains in reporting mode and continues to filter and gather data on the message stream.  

• Quarantine:  The sender asks the receiving party to treat DMARC authentication failures as suspicious.  The receiving mail server could then place the message into a spam folder, scrutinize the message with additional intensity, and/or flag the message as suspicious.  This option may provide the ability for further review by personnel tasked with analysis. 

• Reject:  The sending party asks the receiver to reject email that fails DMARC authentication.  This rejection should occur during the SMTP session, with either a full rejection and a 550 code, or a silent discard with no failure message to the sender.   

DMARC users typically start with ‘p=none’ which sets DMARC to reporting mode. After making sure their legitimate email systems pass DMARC (by either configuring their DKIM or SPF records), users typically switch directly to ‘p=reject’ which guarantees that domain spoofing emails are automatically quarantined.

DMARC is easy with Barracuda Sentinel. Visit our site here to get more information on how we can help protect you from spear phishing and cyberfraud.