How to Implement a Reject Policy

DMARC

If you don’t have a DMARC Reject policy on your domain, you’re not alone—97% of Fortune 500 companies don’t have a Reject policy, either. Following some basic guidelines can make implementing a Reject policy easier. Here’s what you can expect.

(NOTE: before starting, it helps to know a little about these policies. If you want to learn more about DMARC and the policies that it relies on, check out our info pages, About DMARC, About SPF, and About DKIM.)

1.Turn on DMARC reporting

The first step is to begin monitoring your domain with DMARC. Create a policy and set it to None. This allows you to receive DMARC reports without impacting your mail flow. Fraudmarc provides users with free DMARC reports, which provide information needed to configure your SPF and DKIM.

NOTE: This step is only for domains that are not using DMARC. If your domain already has a DMARC policy, skip to Step 2.

Turning on DMARC involves changing DNS settings, so follow the steps from your DNS provider. To set up DMARC using Fraudmarc, log in to Fraudmarc and add your domain. Fraudmarc will prompt you to make changes to turn on DMARC with your DNS provider. Once you have made these initial changes with your DNS provider, you can make all future edits to your DMARC policy through Fraudmarc.

If you bought your domain through GoDaddy or Cloudflare, Fraudmarc offers instant setup. This means you don’t have to touch your DNS settings; Fraudmarc will automatically do it for you. After logging in to Fraudmarc, add your domain and follow the instant setup steps.

2. Monitor DMARC Reports

Once you have a DMARC policy, wait for DMARC data to come from the ISPs that process your sent email. It’s helpful to wait about a week so you will have enough data to start working on your policies.

A None policy is used to monitor and configure your domain’s SPF and DKIM. It’s okay to stay at None for a while. In fact, it is not recommended to change your policy until SPF and DKIM are configured accurately.

Meanwhile, you’ll receive DMARC reports, but your email flow will not change. You can view DMARC reports by logging in to Fraudmarc. The reports show senders (IP addresses and which email service provider is using them), and, if you are using DKIM, which selectors are used. Reports also show which emails pass or fail DMARC.

Your SPF record should include all of your senders but nothing more. Any senders not included will be blocked under Reject unless they use DKIM. Any extra includes, or IPs that don’t send email, create a vulnerability that attackers could exploit to authentically phish your domain. Make sure the number of DNS lookups stays below 10 and set an appropriate all term.

Only include DKIM selectors that are in use. Use different selectors for each sender, but don’t include extra selectors. Make sure that your keys are secure and changed at regular intervals.

It’s important to carefully interpret reports. Don’t automatically add all the senders from your DMARC report to your SPF record. It’s likely that some of the “senders” are actually forwarder- email servers that receive email from your senders and then forward it on to another inbox. If you are using Fraudmarc’s DKIM service, your reports separate forwarders from senders. This makes identifying your senders easier and can decrease the time spent in None.

3. Move to Quarantine

A Quarantine policy sends unauthenticated email to spam. Unlike None, it can disrupt your email flow. When determining whether you are ready for Quarantine, consider the percentage and types of emails that a Quarantine policy would affect (i.e., the emails that fail DMARC). For example, if a large portion of internal emails to employees fail DMARC, you might not be ready. On the other hand, if a small percentage of marketing emails fail, you might be ready for Quarantine. It’s up to you, based on your email flow. You can also adjust the percentage of email for which the ISPs enforce Quarantine. For example, if you set Quarantine to 5%, Quarantine will only be enforced on 5% of the emails that fail SPF and DKIM checks (the rest default to None). This feature is useful for making small adjustments and easing into a Quarantine policy.

Perfect configuration of SPF does not guarantee 100% delivery because forwarded email complicates matters. Forwarding almost always results in an SPF fail. For an email to pass DMARC, it needs to pass either SPF or DKIM. So if you are using DKIM, an SPF fail might be okay depending on the forwarder. Some forwarders send email in a way that preserves DKIM, but others do not. Email forwarded through the latter type will fail DMARC. This is unrelated to your SPF and DKIM configuration, so you shouldn’t correct this by adjusting your configurations.

4. Turn On a Reject Policy!

When very few emails fail DMARC under Quarantine, it may be time to switch to Reject. When done correctly, Reject shouldn’t impact your email flow. Before moving to Reject, remember that Quarantine sends unauthenticated email to spam, but Reject blocks them. If your contacts constantly find your emails in spam, you aren’t ready for Reject. You can adjust the Reject percentage just like Quarantine.

5. Keep Monitoring Your DMARC Reports

By this point, you’ve successfully implemented a Reject policy. Congratulations! Continue monitoring DMARC reports for attempted phishing attacks and to update SPF and DKIM.

If you’re monitoring your own policies, you should continually check for updates to the SPF records of your includes. See step 2 for the importance of having an accurate list of senders. You also need to monitor and update your DKIM keys so they don’t become compromised. For Fraudmarc users, Fraudmarc continuously monitors and updates SPF records using SPF compression. Fraudmarc also solves DKIM key management challenges for your domain.

It’s important to maintain security once you achieve Reject, as any slip-ups would either allow attackers to send authenticated phishing email from your domain or block your legitimate email.

Fraudmarc can help

We offer a variety of plans and tools to help every domain achieve a DMARC Reject policy. Fraudmarc’s intuitive tools help with managing and monitoring as many authorized senders and DKIM selectors as required for your business. Fraudmarc uses SPF CompressionSM, so the number of DNS lookups needed to authenticate all of your authorized senders is minimized. Also, Fraudmarc’s DMARC reports are always free, so you will have the tools and information you need to configure your policies accurately.

That’s how you implement a Reject policy in 5 steps. If you would like more hands-on assistance implementing a Reject policy, consider upgrading to Fraudmarc’s enterprise plan, and we’ll guide you to success.

At Fraudmarc, we want to see every domain across the internet #GetToReject!
Menu