Basics of DMARC Enforcement
DMARC is a strong technique for preserving email sender identity. Among many other advantages, when correctly implemented, it protects your domain from exact-domain spoofing, which is a tactic employed by the vast majority of corporate email compromises (BEC).
However, the term ‘enforcement’ is not without complexity. For DMARC enforcement, your corporate domain and all its subdomains must have a quarantine policy or a reject policy, and the percentage parameter, if utilized, must be set to 100. If even one subdomain is not enforced, the entire domain is not enforced.
Why is there such a strong preference for subdomains to be enforced? The answer is straightforward—because any subdomain, no matter how obscure, can be used to impersonate someone.
On how to handle subdomain policies, DMARC includes a fairly precise set of rules. We discussed how DMARC handles subdomains in email addresses in a previous post; in this piece, we'll look at particular subdomain policies specified with the ‘sp’ tag.
First, some context.
DMARC addresses a significant issue with prior authentication systems, SPF and DKIM, by mandating alignment between the domains certified by those standards and the domain indicated in the message's ‘From’ field. In other words, the domain that a human receiver sees in the visible ‘From’ field must be the same domain that SPF or DKIM has validated.
If a message fails authentication—either because it fails SPF or DKIM, or because the ‘From’ field does not match the domain authorized by SPF or DKIM—the mail receiver acts on the message in accordance with the specified policy in the DMARC record.
The ‘p’ tag
The DMARC ‘p’ tag is used by domain owners to describe the policy they want mail recipients to apply to any communications that fail authentication.
They will get DMARC reports if they keep it at the default value of ‘p=none’, but they will be vulnerable to spoofing. The ‘p=none’ parameter instructs receivers to handle messages that fail authentication the same way they treat messages that pass authentication, that is, to send them normally.
Enforcement entails employing a policy of ‘p=quarantine’ which instructs receivers to mark any communications that fail authentication as spam, or ‘p=reject’ which tells receivers to delete those messages entirely.
The ‘sp’ tag
Unless a DMARC record has been published for a single subdomain, the DMARC policy specified for an organizational domain will apply to all subdomains by default. Domain owners, on the other hand, can use the ‘sp’ tag to specify distinct rules for all subdomains (for subdomain policy).
It has the same syntax as the ‘p’ tag. ‘sp=none’ instructs mail recipients that, regardless of the policy selected for the organizational domain, they should employ a policy of ‘none’ for subdomains. Receivers are told to quarantine failed messages from subdomains when they see ‘sp=quarantine’, and they are told to reject them when they see ‘sp=reject’.
Implementing the Policies
It should be evident why subdomains require enforcement policies to be safeguarded. Spoofers can send messages from email.company.com if company.com is set to ‘p=reject’ but email.company.com is set to ‘p=none’. In this situation, even with an organizational ‘p=reject’, spoofers may mimic the brand and create all of the issues that DMARC is supposed to alleviate since DMARC was not implemented consistently across the domain.
Your organization may not utilize subdomains to send an email, but receivers are unaware. As a result, these subdomains can be just as effective as the main domain as impersonation vectors. In this scenario, DMARC is similar to sunscreen. It is only effective where it is administered. You must use it everywhere.
Moreover, it's quite simple to accomplish. Put ‘p=reject’ on your corporate domain and don't change it on any subdomains. Now you're completely safe, and no one can send an email impersonating you without your specific permission.
This may seem self-explanatory, but we regularly encounter unprotected subdomains that might negate the anti-impersonation and anti-fraud advantages of bringing DMARC to enforcement.
Furthermore, if the brand-enhancing features of BIMI are of importance to you, you must have DMARC enforced on your organizational domain—without sp=none—in order to benefit from this new standard.
Take precautions. Keep your brand safe. Keep your consumers safe. Keep your staff safe. Don't make your subdomains vulnerable to impersonation. Learn to set up DMARC with EmailAuth easily. It has a simplified DMARC solution that protects your domain from attacks. The setup guide is available on EmailAuth. Head over NOW to check it out!