How should I configure DMARC for multiple domains and when should I implement a reject policy?
Summary
What email marketers say8Marketer opinions
Email marketer from Reddit shares the advice to deploy SPF and DKIM first. After that is done start with a DMARC record with p=none to begin collecting data and making sure everything is correct. Then deploy quarantine and finally reject once you are happy with the results.
Email marketer from Postmark explains that using p=none helps you understand how your emails are being treated without impacting deliverability. It allows you to gather data and make informed decisions before implementing stricter policies. You should actively monitor the reports and adjust configurations as necessary.
Email marketer from Mailjet shares that moving to a `p=reject` policy should only be done after careful monitoring of DMARC reports with a `p=none` or `p=quarantine` policy. This allows you to identify and correct any legitimate email sources that are failing authentication before you start rejecting emails.
Email marketer from SparkPost recommends a phased approach, starting with `p=none` for several weeks or months to gather data and identify any issues. Moving to `p=quarantine` should be done gradually, and `p=reject` only after careful analysis and resolution of all identified problems.
Email marketer from EasyDMARC emphasizes that DMARC provides visibility into email channels and allows businesses to protect their brand by preventing unauthorized use of their domains. Implementation should start with monitoring and gradually move to enforcement.
Email marketer from Proofpoint explains that DMARC protects your domain’s reputation, ensures better email deliverability, and provides valuable insights into your email ecosystem, helping you to identify and address potential security threats.
Email marketer from ReturnPath emphasizes the importance of continuous monitoring of DMARC reports to identify and address authentication issues and potential spoofing attempts. Consistent monitoring helps maintain a healthy email ecosystem and protect your brand.
Email marketer from AuthSMTP shares that SPF and DKIM needs to be setup before DMARC is configured. SPF ensures that the email is sent from an authorised server, and DKIM provides a digital signature to verify authenticity.
What the experts say5Expert opinions
Expert from Spam Resource, John Levine, explains that DMARC deployment should be phased. Start with a 'none' policy to observe traffic and identify legitimate sending sources. Gradually move to 'quarantine' and then 'reject' as confidence in the configuration increases.
Expert from Word to the Wise, Laura Atkins, emphasizes a cautious approach to implementing 'reject'. She recommends thorough monitoring and analysis of DMARC reports to avoid blocking legitimate email. Starting with 'none' and carefully transitioning is key.
Expert from Email Geeks explains that DMARC is based on the domain in the From: field, allowing separate treatment for each mail stream with different domains. He also notes that an ESP's DMARC policy is irrelevant when sending with your own domain in the From: field; only your domain's policy matters. To properly set up DMARC, DKIM and SPF are needed, requiring each ESP to use a subdomain of your domain in the return path and to sign with your domain.
Expert from Email Geeks advises that the duration of monitoring a quarantine policy before moving to reject depends on the complexity and history of your mail system, as well as the effort invested in fixing issues. Actively monitoring reports and diagnosing authentication failures allows you to track the rate of real problems and transition when it's near zero.
Expert from Email Geeks recommends against immediately implementing a `p=reject` policy. He suggests monitoring mail streams with `p=none`, identifying and fixing issues for at least six months, especially if it's not a greenfield setup. He also adds that DMARC isn't particularly effective against phishing.
What the documentation says4Technical articles
Documentation from DMARC.org explains that for multiple domains, each domain should have its own DMARC record. Each record should reflect the specific sending practices and authentication results for that domain. Subdomains can inherit the policy of the parent domain, or have their own distinct policies.
Documentation from RFC7489 details the DMARC standard and explains that the purpose of DMARC is to allow a sender to indicate that their messages are protected by SPF and/or DKIM, and tell a receiver what to do if neither of those authentication methods passes.
Documentation from Microsoft explains that DMARC helps receiving mail systems verify that messages claimed to be from your organization were indeed sent by your organization. Creating a DMARC record is the first step and needs to be published to DNS.
Documentation from Google Workspace Admin Help advises to start with a DMARC policy of `p=none` and monitor the reports. Then move to `p=quarantine` and continue monitoring, before finally moving to `p=reject` once you are confident that only legitimate email is being authenticated.