Senders DMARC Policy help receivers take a decision for quarantine or rejection of an email

Hi
It’s been mentioned that the Sender’s DMARC Policy help receivers (recipient domain) take a decision whether or not to quarantine/reject an email sent by them.

Am a bit confused, I thought it is the receiver’s DMARC settings configured on the receiver’s domain DNS DMARC TXT record, which enforces what to do with an email that is received from the sender that does not match SPF and DKIM records of the sender.

I believe the sender’s DMARC policy has nothing to do with recommendations for an email that’s sent by them and it’s totally up to the receiver to take a decision by comparing the SPF & DKIM records received in the email and what does the receiver end DMMARC policy enforce.

However I understand that DKIM and SPF are public DNS records that are hosted by the respective domain providers, not sure if the receiving domain also checks the DMARC record of the sender and how the decision is taken based on senders DMARC policy for receiving domains to accept or reject an email. Can receiving domains access the dmarc policy of the sender?

Are there two DMARC policies configured per domain, one where the receiver domain can check what needs to be done when an email fails from a particular sender and where is this policy configured or the receiving domain goes with its configured DMARC settings to accept and reject any email from any sender?

Regards
Simon

Good morning, Simon! Our GCA expert on DMARC is out of the office this week, and I want to make sure you get a complete and accurate response to your question. I’ll make sure that happens upon his return the 15th. Hope that’s okay! And thanks for taking the time to join the forum and submit this.

Hi Simon,

DMARC has two parts to it:

1. DMARC Policy - this is set up by the sending organization, and defines how the receiving side should handle messages that are not compliant with the sending orgs DMARC policy. This is setup on the sending organizations’s public facing DNS (along with SPF and DKIM).

2. DMARC Verification - this is enabled by the receiving organization, and is used to check all incoming messages for a DMARC Policy (which is the sending orgs DMARC policy). This is typically enabled on the receiving organization’s email security gateway. The item to note though, is that the receiving organization can override the sending organization’s DMARC policy. Microsoft, for example, does that with their O365 users.

Can receiving domains access the dmarc policy of the sender? - Yes, DMARC policy is created on the public facing DNS.

Are there two DMARC policies configured per domain - No, there can only be one DMARC policy per domain. If you are using sub-domains, then each sub-domain can have it’s own DMARC policy, which will override the top level domain’s DMARC policy.

I hope that helps clarify things.

Thanks,
Shehzad

Thanks, Shehzad
That was very informative.
when I publish dmarc record it’s for my domain and it’s just a recommendation (not enforcement) of what to do with emails sent from my domain to the receiver. How does the receiving domain override this setting, is it through their DMARC policy, and if yes will the rule apply for all sending domains? (some companies may have a different DMARC alignment (e.g. accept if only DKIM matches, some may say only if DKIM & SPF matches).
if the receiving domain is set to override these recommendations, how does it work for per domain, its a single policy, is it configured through DMARC to override, and would it be a common policy for all domains?
if I receive an email from the Xyz domain that has not set up a dmarc record but has SPF & DKIM records published or has none as their dmarc policy, will the receiving domain still checks for SPF and DKIM, DMARC and what will it do with it, how will it take a decision whether to accept, reject, quarantine, since the sending domain has not mentioned what to do with it, can I still quarantine or reject these email based on our DMARC policy?
is our dmarc policy set for this purpose or its only for receiving domains to accept and reject or is it also for us when we receive an email, it tells us what to do with such messages. What’s the mechanism used to enforce these checks in the Email Infrastructure as dmarc is only the policy.
So if the senders do not have a dmarc policy my email Infra will always accept the mail, of there is a check that my email domain will do and from where is it done and what policy is checked before accepting or rejecting the email from the sender.

Thanks
Stanly

Hi Stanly,

Yes, other organization can override your DMRAC policy using their DMARC verification tool.

DMARC policy only applies to the organization that owns the domains. A DMARC policy can not impact another organization’s domain.

By using a DMARC Verification tool (i.e. Mimecast, Cisco Ironport, or cloud email security, etc.), the receiving organization can decide how to act on incoming messages with a DMARC policy. I wouldn’t recommend it, but they can. Depending on the system, they can override all domains, or be selective (which just creates more work).

if I receive an email from the Xyz domain that has not set up a dmarc record but has SPF & DKIM records published or has none as their dmarc policy, how will it take a decision whether to accept, reject, quarantine, since the sending domain has not mentioned what to do with it, will the receiving domain still checks for SPF and DKIM, DMARC and what will it do with it,

Some receiving systems will check for SPF and DKIM (not many, and some have not enbled DMARC verification), if they do, then the receiving side has to decide how to handle messages that fail SPF or DKIM. Notice, I did not say add. When using only SPF and DKIM, they are independent of each other.

Now, if you have SPF, DKIM and DMARC. Your DMARC policy is set to none. The receiving side has DMARC verification enabled, then your DMARC policy will be used. If SPF and DKIM were to fail and DMARC policy is none, then the message will still go to the recipients inbox.

can I still quarantine or reject these email based on our DMARC policy?

You can but not based on your DMARC Policy. If your DMARC verification tool allows for you to override incoming messages with a DMARC policy, then you can do so. You have to use an email security gateway in order to do so.

DMARC Policy - only applies to your domain
DMARC Verification - tool to check all incoming messages for DMARC Policy of the message domain.

So if the senders do not have a dmarc policy my email Infra will always accept the mail, of there is a check that my email domain will do and from where is it done and what policy is checked before accepting or rejecting the email from the sender.

Yes, that is correct. If the sending organization does not have a DMARC policy, then those message should be delivered, unless the message fails the spam/phishing checks (assuming you still have them enabled).

I hope I got all your questions.

We do have a free DMARC bootcamp coming in May, if you are interested. I will be doing through various aspects of DMARC at a technical level over a 5 week period (1hr a week).

If interested, here is the registration link: DMARC Bootcamp May 2021

Thank you so much for answering the queries Shehzad, so that means even if my company (receiving) side, does not implement DMARC, my company can take the advantage of the sender’s side published DMARC policy and can accept or reject emails from the sender’s domain based on their DMARC policy, but my email gateway should be configured to do so.

I have also registered for the Bootcamp, on June 4th, 2021. Thanks again for letting me know.

Regards
Simon Selvin

Yes, that is correct.

See you at the bootcamp!

If only the SPF and DKIM are implemented but has not implemented the DMARC. What are the major disadvantages in the sender and recipient sides?

Hi Tony,

This article should help answer your question:
https://www.globalcyberalliance.org/resource/spf-and-dkim-is-not-enough-dmarc-is-a-must/

if not, please let us know.

Thanks,
Shehzad

If the recipient’s email server does not enable the DMARC verification, the DMARC policy still cannot be enforced.

My understanding on the DMACR advantages are

1. domain owner can enforce the DMARC policy if recipient’s email server has enabled the DMARC verification.
2. domain owner can receive the DMARC report to identify if any authorised IP or spoofed domain.

Am I correct?

Yes, that is correct.

Just note that you may not allows get reports, as some receivers have decided not send reports.