Why DMARC enforcement includes quarantine and reject
Valimail’s mission has been consistent since the day we started back in 2015: We want to keep fraudulent emails out of the inbox.
DMARC is a powerful tool for accomplishing a major part of that aim, because it enables domain owners to eliminate spoofed messages that misuse their domains in the from field. Because DMARC is a global standard with virtually universal support among the world’s largest email providers, it eliminates them from everyone’s inboxes, not just the domain owners’.
To be effective as an anti-phishing solution, domain owners need to set their DMARC records to a policy of “reject” or “quarantine” — otherwise known as DMARC enforcement. If you don’t do that, those receiving mail servers will see a policy of “none” and will continue to deliver the spoofs. These are the three primary policies DMARC can be configured to:
- p=reject = Messages failing authentication should be rejected (deleted)
- p=quarantine = Messages failing authentication should be sent to spam or otherwise quarantined from the inbox
- p=none = No special handling; messages failing authentication should be delivered as normal
The ideal state
The ideal state is a reject policy, and that is what we recommend to our customers. However, there are use cases where this isn’t feasible, either because the customer has mail flows they need to preserve that aren’t yet authenticatable (e.g. a high corporate usage of mailing lists which have not yet implemented ARC) or because of political considerations at the organization. Sometimes, an organization wants to implement quarantine to convince themselves that things are working as expected before moving to reject. With the visibility that Valimail Enforce provides, quarantine is not usually necessary — but some customers still require it, and it’s why we support it when it’s needed.
The biggest danger to an organization that has just deployed a DMARC record is staying at a p=none or sp=none position for years on end.
Note: the ‘sp’ tag lets organizations set a separate policy for subdomains of the main domain; at p=reject and sp=none, messages from ‘example.com’ that fail to authenticate will be rejected but messages from ‘sub.example.com’ will be delivered as normal. In practice, what this means is that your domain is still abusable: An attacker can just pick any subdomain and go to town phishing your customers or employees.
The disastrous alternative
If the alternative to quarantine is staying at ‘p=none’ or staying at ‘sp=none’, we consider that disastrous. Unfortunately, that’s precisely what our competitors recommend for their customers and (in one case) themselves. We believe that this is a negligent and dangerous stance.
The vast majority of the benefit of DMARC comes from keeping fraudulent messages out of the inbox, which a quarantine configuration accomplishes. The material benefits are obvious to any organization which gets to and stays at quarantine: Their customers don’t see brand impersonation attacks, their partners don’t see fraudulent invoices, and their employees don’t see spear phishing attacks.
Yes, these fraudulent emails can be dug out of the spam folder, but that comes with both a heightened level of awareness by the recipient and vastly reduced frequency.
This is especially true given that at least one major consumer and enterprise email receiver treats a reject and quarantine policy identically: Regardless if the domain’s policy is set to reject or quarantine, this receiver puts messages failing authentication in the spam folder.
In other words, for messages sent to this receiver, switching from quarantine to reject will make absolutely no difference. For all other receivers that respect DMARC policies, the switch will delete messages that were formerly confined to the spam folder.
Locking the door against spoofs
To use an analogy from physical security: A quarantine policy is like a wooden door, and a reject policy is like a steel door. Yes, a steel door is more secure — but a wooden door is better than no door at all. And maybe all you really need is a wood door.
If the vendor trying to sell you a door can’t even get the door installed properly, who cares what their opinion is on steel vs. wood?
Similarly, we find it amusing that DMARC vendors who have difficulty getting their customers to any kind of enforcement policy, even after many months, should be harping on the relatively small difference between quarantine and reject.
Speed is key. Time to enforcement — even if it’s quarantine — is far more impactful for the security of your organization than anything else. Think of it this way: Given a choice between wood or steel today, choose steel. But if it’s wood today or steel next year, the wood is worth its weight in gold.
In short: If your domain has a DMARC record with a policy of “none,” you need to move to enforcement as quickly as possible in order to cut off impersonation of your domain. The difference between quarantine and reject is relatively small compared to the protection you’ll gain by moving from p=none to either enforcement policy.