DMARC FAQs

The purpose of this enabling Aggregate Reports is to ensure that there is no impact on your email delivery along with getting visibility and understanding of your outgoing email delivery points.

The mail will be treated in a normal manner without any DMARC validation.

No, there is no impact or blockage to any of your emails.

Most of the common email service providers used by a large number of organizations have enabled the DMARC check by default.

After stage 1, we will have more clarity as to which of your email providers (IPs) are being used to send out your Emails. The first step in this stage is to review your current process on outgoing Emails and identify any recommended changes. This would reflect by modifying IPs that may or may not be involved as your Email outgoing IPs. With that information, we can configure those IPs in the DNS record to reflect as your authorized IPs to send out your Emails.

There are two major reasons why you need a digital signature (DKIM) even though you have published authorized IPs (SPF) and the receiver can know if the Email came from those IPs. An attacker can send out a forged email pretending to be from your IP Address (known as IP spoofing) When an organization has any third party, e.g marketing companies, forwarding emails on their behalf, these emails will be perceived as fraud emails since they are not authorized in the SPF record. You may get over this issue by including theirs Email sending IPs in your authorized IPs list. At times when they change their IPs for their own reasons, it may be challenging to maintain their IP list in your SPF configuration.

An SPF record has an additional parameter on top of your authorized IP. This parameter is the message to the recipient of your emails on what you want them to do if they receive an email that did not come from one of your authorized IPs. Normally in this stage the confidence level of ensuring identification of all your authorized IP is low, thereby your message to recipients is that they should accept the Email anyway but treat it with caution.

DMARC quarantine policy tells the recipient of your emails that if both SPF and DKIM checks fail, accept the email, but mark it as spam.

We will incrementally increase the percentage of emails being impacted by this policy. At a low percentage level, if NO legitimate emails get quarantined, we can move onto a higher percentage until we reach 100%. At each percentage level, the impact on emails is analyzed to verify that the legitimate emails are NOT being quarantined, eventually leading up to Quarantine Policy on 100% of the emails. This will enable us to move on to Stage 4 of DMARC.

No, it will not. We only move to stage 3 once we have high confidence that we have identified all the email outgoing points (IPs) and accordingly have configured the authorized IPs, and digital signatures for all those points.

DMARC reject policy tells the recipient of your emails that if both SPF and DKIM checks fail, reject the email.

Yes, it will impact all your emails.

The quarantine policy percentage levels help verify that no legitimate email is impacted by the DMARC policy. In other words, your SPF and DKIM records are properly configured with all your email sending points authorized. This enables the implementation of the reject policy on 100% of your emails, which will make you DMARC compliant.

Yes, it will, ONLY if your legitimate email fails the SPF and/or DKIM check. Since the quarantine policy percentages helped us verify and authorize all your legitimate email sending points, the only emails that would fail SPF and/or DKIM check would be forged (spoofed) emails.

You being on DMARC reject policy is the reason for enabling forensic reports. Since your SPF and DKIM mechanisms are implemented and working properly, the ONLY emails to be perceived as forged (spoof) will be genuine spoof attempts of your email domain. Furthermore, these reports will help analyze the data within these forged emails to identify what type of malicious URL or attachment was used.