Delivery Center: Deploying DMARC Protection

As you become more familiar with the Delivery Center user interface (UI), more measures can be taken to combat spoofing and phishing scams. By working through the individual tabs and noting what each offers, your understanding of this tool will increase daily. To that point, enabling the DMARC quarantine and reject protocols allows you prevent your customers from receiving spoofing or phishing messages claiming to be from you.

Quarantine and Reject

Once you have improved your DMARC Compliance rate for all Outbound Email Sources listed under Verified Sources, MxToolbox recommends enforcing stricter DMARC policies helps eliminate hackers’ spoofing and phishing attempts. In your Delivery Center under the Protection tab, you will be able to define the protection status you want to apply for your domain. Our system automatically evaluates how well your email delivery is performing for DMARC before making recommendations to set Quarantine or Reject statuses. You will see this in a custom message section outlining what our recommendation is. You will also note two other important values on this page, a policy status (either none, quarantine, or reject) and a percentage amount (0-100). 

There are three policy options:

  • p=none: With this directive, DMARC doesn’t change how email is handled by the receiver. In other words, no action is taken/messages remain unexamined.
  • p=quarantine: This policy sets aside questionable emails for further processing, which are usually exiled to the “Junk” folder.
  • p=reject: When emails don’t come from your email infrastructure, this designation has the receiver outright reject those messages that fail DMARC authentication.

The option to set the “p=” designation in the Status box (see below) gives you the power to define how suspicious email that fails DMARC is treated by inbox providers. Essentially, with DMARC you are telling the world what your email looks like and what is not your email so those messages that are sent by spoofers can be quarantined or rejected. When you set a policy status you will also want to set a percentage amount. When an inbox receives a message either from you or from a spoofer they will look at your DMARC to understand what to do with the message (nothing, quarantine it, or reject it) and how many messages should that policy apply to. 

For example if you set a policy of quarantine 25%, all inboxes will quarantine 25% messages sent by your domain that fail DMARC. The remaining 75% will be unimpacted. A quarantine policy of 100% means that all messages that fail DMARC are quarantined. 

*Note: For policy statuses with "reject" if you sent the percentage to anything less than 100%, all messages outside of that percentage will be quarantined (i.e. If your policy is reject 45%, then 45% of all messages that fail DMARC will be rejected - the remaining 55% of messages will be quarantined).

Deploying DMARC Protection: Quick or Extended?

Based on your goals there are two approaches to enforcing DMARC policies: 1. Short Deployment 2. Long Deployment

Quick Deployment

With a Quick Deployment the first goal is to verify your Verified Sources have high DMARC compliance rates. Once that is done, a quick deployment will aim to set the policy to quarantine 100% and then reject 100%. We call it quick because it allows your business to quickly implement security against spoofing and phishing on your domain. If you have chosen Quick Deployment you will want to make sure you have all of your legitimate email sources classified as "Verified Sources" as failure to do so may mean that some legitimate emails will be quarantined or rejcected.

Extended Deployment

By using Extended Deployment you will slowly increment the protection levels of you domain over time. The largest benefit to this approach is that you can identify and fix legitimate email issues when only a small percentage will be impacted by delivery failures, whereas at 100% Quarantine - if your legitimate email was failing DMARC you would see oubound email quarantined. Using the Extended Deployment you will increase the levels of DMARC protection over time, initially setting the domain’s DMARC record to “p=quarantine; pct=10;” and then increasing it after observing it for a few days. As time passes and if you are seeing no impact to legitimate email delivery, you will apply harsher protocols in Delivery Center (increasing the percentage, moving to reject, and then to reject at 100%).

Regardless of which approach you decide, once you reach your desired protection level, you will want to monitor your Delivery Center DMARC report to make sure no new senders have been added and ensure you don't detect a DMARC compliance drop that would subject legitimate messages to be quarantined or rejected.

burritos@banana-pancakes.com braunstrowman@banana-pancakes.com finnbalor@banana-pancakes.com ricflair@banana-pancakes.com randysavage@banana-pancakes.com