Sign in
  • Home
  • Products
    • Enforce
    • DMARC Monitor
    • Instant SPF
    • Amplify
  • Solutions
    • Anti-phishing
    • Brand protection
    • Compliance
    • Government
    • Marketing
    • Microsoft
    • Shadow IT
  • About
    • News + awards
    • Partners
    • Team
    • Careers
    • Industry leadership
    • Customer support
  • Learn
    • Resources
    • Blog
    • Customers
  • Support
Request phishing analysis
  • Products
    • Enforce
    • DMARC Monitor
    • Instant SPF
    • Amplify
  • Solutions
    • Anti-phishing
    • Brand protection
    • Compliance
    • Government
    • Marketing
    • Microsoft
    • Shadow IT
  • About
    • News + awards
    • Partners
    • Team
    • Careers
    • Industry leadership
    • Customer support
  • Learn
    • Resources
    • Blog
    • Customers
  • Get started for free
  • Support
  • Sign in
Check to see if you’re protected
☰
Check to see if you’re protected
Share this article
Related posts
  • Blog
    Research: Only 22 of the top 100 retailers are protected by DMARC
  • Blog
    DMARC authentication gets you the deliverability you deserve
  • Blog
    How vulnerable are U.S. election operations to email spoofing?
Valimail blog

What is DMARC policy and why is DMARC enforcement so important?

Author: Valimail
At Valimail, we're bouncers, not cops

Many how-to articles tout the benefits of DMARC without mentioning a crucial step: Enforcement.

A key part of the DMARC (Domain-based Message Authentication, Reporting, and Conformance) standard is that it gives domain owners the ability to specify a policy for how they’d like receivers to handle email messages that fail authentication.

With an enforcement policy, domain owners can tell receivers to put unauthenticated messages in the spam folder or reject them entirely — effectively blocking impersonators.

Without enforcement, domain owners still get some data on who’s spoofing them, but they just watch those impersonators continue to wreak havoc, without doing anything to stop them.

A DMARC record without enforcement is like a bouncer at the front door who checks everyone’s ID — but then lets everyone in regardless of whether they’re on the guest list or not.

Three DMARC Policy Options

Unlike SPF or DKIM, which leave it up to the receivers (mail gateways and servers) to decide how to handle authentication failures, DMARC actually lets the domain owners specify what they want to happen.

In the simplest configurations, the DMARC policy is spelled out with the “p” parameter, for which there are three options:

  • p=none — No enforcement; mail that fails authentication is delivered normally.
  • p=quarantine — Messages that fail authentication should be quarantined. Usually this means that the messages are delivered to a user’s spam folder.
  • p=reject — Messages that fail authentication should be discarded, not delivered at all. Some receivers honor this request, while others just mark failing messages as spam.

Note that p=none, or “monitor mode,” provides no enforcement. Fraudulent messages using your domain will still be delivered. This setting is intended as a “test” mode, so domain owners have a way to troubleshoot their authentication settings without the risk of legitimate messages getting blocked.

In p=none mode, domain owners can use the reports sent by mail gateways to examine what messages are being blocked and which IP addresses are sending those messages. (In principle — in reality, turning DMARC reports into actionable insights is a challenge all its own.) Armed with that information, the domain owner can then make changes to their SPF and/or DKIM settings, and potentially to the domain(s) being used by the messages, to ensure that legitimate messages authenticate.

Why DMARC Enforcement Matters

If your goal is to stop phishing and impersonation attacks, you need to get to enforcement, not to remain at p=none indefinitely. A setting of p=none generates a lot of potentially useful raw data. But it’s only with a policy of quarantine or reject that you will begin to see the anti-impersonation and anti-phishing benefits of DMARC.

At enforcement — p=quarantine or p=reject — the only mail using your domain that gets through is the mail you have authorized. Everything else is sent to spam or is deleted without being delivered.

What’s more, DMARC at enforcement can help with deliverability. ISPs that make delivery decisions based on the reputation of the sending domain will take into account your DMARC status. We’ve seen customers whose marketing campaigns’ delivery rates increased by as much as 5 to 10 percent when they moved to an enforcement policy.

Unfortunately, most companies that attempt DMARC don’t actually get to enforcement. In our research, Valimail has found that an average of 75 to 80 percent of domains that have published a DMARC record are unable to get to enforcement. That means they either had configuration errors or, more commonly, had simply gotten stuck at p=none — often for months or even years.

Staying in monitor mode, at a DMARC policy of p=none, provides the same amount of protection as if you had no DMARC record at all.

Getting to enforcement is where the real benefits of email authentication kick in. Without it, you’re just collecting more data.


Is your domain enforcing email authentication and protecting you from impersonation attacks? Find out with our free, real-time domain checker.

Back to blog
Published November 7, 2018
  • DMARC
  • DMARC enforcement
  • enforcement
Author: Valimail
Valimail is the global leader in zero-trust email security. The company’s full line of cloud-native solutions authenticate sender identity to stop phishing, protect brands, and ensure compliance; they are used by organizations ranging from neighborhood shops to some of the world's largest organizations, including Uber, Splunk, Yelp, Fannie Mae, Mercedes Benz USA, and the U.S. Federal Aviation Administration. Valimail is the fastest growing DMARC solution, with the most domains at DMARC enforcement, and is the premier DMARC partner for Microsoft 365 environments. For more information visit www.valimail.com.
Resources
Email Fraud Landscape Spring 2021
Learn more
Top retailers remain vulnerable to email brand spoofing
Learn more
Email security with Microsoft and Valimail
Learn more
Election email security
Learn more
Email fraud landscape, Summer 2020
Learn more
Latest news
Trump’s refusal to concede the election is creating an opening for cy...
Learn more
2020 General Election Results to Directly Impact Tech Industry
Learn more
Why Email Is Still an Election Day Disinformation Risk
Learn more
US elections are still vulnerable to email spoofing
Learn more
Security Gaps Persist, Report Warns, After U.S. Blames Iran In Election Sch...
Learn more
Press releases
Valimail Report Reveals 3 Billion Spoofed Emails are Sent Every Day
Learn more
Valimail Triples Customer Base, Becomes Top Global DMARC Provider in 2020
Learn more
Valimail: 2020 election infrastructure still vulnerable to email hackers
Learn more
Valimail Announces Selection by ASG for Anti-Phishing and BEC Protection
Learn more
Valimail DMARC Monitor and Valimail Enforce Now Available in the Microsoft ...
Learn more
Follow us
Contact us

P: 888.354.6179
E: info@valimail.com

Headquarters

1942 Broadway St., Ste. 314C
Boulder, CO 80302

Request a full phishing analysis
© Valimail
  • Terms of use
  • Privacy Policy
  • Website terms of use
  • Do not sell my personal information
  • Phishing Analysis
  • Domain Checker
  • Products
  • Enforce
  • DMARC Monitor
  • Instant SPF
  • Amplify
  • Solutions
  • Anti-phishing
  • Brand protection
  • Compliance
  • Government
  • Marketing
  • Microsoft
  • Shadow IT
  • About
  • News + awards
  • Partners
  • Team
  • Careers
  • Industry leadership
  • Customer support
  • Learn
  • Resources
  • Blog
  • Customers
Subscribe to our newsletter

Get exclusive content on improving email security and deliverability from the experts at Valimail.

  • *
    I understand that I may proactively manage my preferences, or opt-out of Valimail communications at any time using the unsubscribe link provided in Valimail email communication. I confirm that I am over the age of 16. The information that you provide will be used in accordance with the terms of our Privacy Policy.
  • This field is for validation purposes and should be left unchanged.