DMARC policy

What has been found

DMARC policy is missing or not enforced.

The domain’s DMARC policy is either missing or not effectively enforced. DMARC, combined with SPF and DKIM, is critical for preventing email spoofing and verifying that incoming messages are legitimate. The absence or ineffectiveness of a DMARC record leaves the domain vulnerable to impersonation and fraudulent email.

DMARC policy is Reject

The domain has a DMARC policy with p=reject in place. Messages failing SPF or DKIM validation are rejected outright by receiving servers, preventing delivery of unauthenticated emails.

DMARC policy is Quarantine

The domain has a DMARC policy with p=quarantine in place. Messages that fail SPF or DKIM validation are directed to recipients’ spam or junk folders, reducing the risk of phishing and impersonation attacks.

Why this is a potential risk

Without a properly enforced DMARC policy, attackers can send spoofed emails appearing to originate from your domain. This can facilitate phishing, malware delivery, social engineering attacks, and reputational damage. Spoofed emails can lead to credential compromise, ransomware, or unauthorized access to internal systems. Domains lacking DMARC enforcement are high-value targets for cyber attackers due to the ease of exploiting trust in your email domain.

Why this strengthens security

By enforcing a reject or quarantine policy, the organisation ensures that only authenticated, legitimate emails are delivered. This provides the highest level of protection against spoofing, phishing, and business email compromise, while reinforcing trust in the domain’s email communications.

Potential solutions/Improvements

• Implement a DMARC policy: Set a DMARC record with a policy of reject to instruct receiving mail servers to reject unauthenticated messages.

• Align with SPF and DKIM: Ensure SPF and DKIM are correctly configured so legitimate messages pass authentication checks.

• Monitor and adjust: Use DMARC reporting to track attempted spoofing and refine policies over time.

How to verify it is resolved:

• Check that a DMARC record exists and is set to reject or quarantine with proper alignment to SPF and DKIM.

• Use external DMARC Record Checker testing tools to confirm enforcement.

• Monitor DMARC aggregate and forensic reports for unauthorised or spoofed message attempts.

• Review email logs to verify that spoofed messages are blocked and legitimate messages are delivered correctly.

External references

• Dmarcian - DMARC Record Checker
• Setting Up DMARC: A Complete Guide to Email Protection
• NCSC - Email Security and Anti-Spoofing