0

I began using ProtonMail email service, I like it that much, that I connected my domain yesterday and did appropriate changes to DNS.

This page of ProtonMail's knowledgebase says how DMARC shall be set up. An image for the words:

ProtonMail's knowledgebase says how DMARC shall be set up

I have successfully connected my domain, set up SPF, DKIM, and I believe I'm ready for DMARC.

The thing is:

  1. I am unsure if it's a good idea to set it with

    • p=quarantine

    or

    • p=reject

  2. Do I need to specify any other things like rua or ruf or anything else if I wanted to make it p=reject?

My current status is:

current status

LinuxSecurityFreak
  • 1,562
  • 2
  • 18
  • 32
  • https://dmarc.org/wiki/FAQ#Does_DMARC_.E2.80.9Cp.3Dnone.E2.80.9D_affect_the_way_my_emails_get_delivered.3F - p=none essentially just trigger a warning for the recipient (depending on their mail host and client) if a message fails verification. I suggest quarantine if you want to reduce the risk that your own messages gets rejected, while also reducing the risk of impersonation of your mail server – Natanael Feb 27 '19 at 11:19

2 Answers2

2

It depends a lot on the specific case. If you are really sure you know where all the mail being sent is coming from, and that you’ve set up SPF & DKIM appropriately, then you might go directly to p=reject or p=quarantine.

The safer course is to do a staged roll-out, e.g.:

  • p=none with rua and/or ruf set (there are tools like Dmarcian that you can use to help process the reports you get). Do this to make sure that everything that’s going to fail should actually fail, or fix things that you spot that you hadn’t thought about.
  • p=quarantine with a low percentage just to check that things are ok in practice - if you get lots of issues, then at least it’s (a) likely available in the recipient’s quarantine, and (b) only a small amount of the mail
  • p=quarantine with 100%, maybe with other steps in between. You might stop here.
  • p=reject, again maybe doing percentage steps, if you’re completely certain that failing mail should never be read by the recipient.

One thing to consider when deciding between quarantine and reject is that failures can be out of your control. For example, if someone is forwarding mail, then it’s likely there’s going to be an SPF failure (particularly if it’s not well set up) but the recipient probably does actually want the email. Similarly, if there’s something in the chain that mucks about with the message (often the subject) then there may be a DKIM failure but it’s still a legitimate message.

If you really want to say “the mail comes directly from me to you”, then reject is likely where you want to get to. If you’re ok with “the mail comes directly from me to you, and if you muck about with that then it may end up in your quarantine”, then quarantine is a better end point.

Tony Meyer
  • 917
  • 7
  • 10
  • 1
    note that protonmail themselves won't honor the `p=reject` instruction upon reception of an email failing SPF and DKIM. It will be treated the same as `p=quarantine` and go into spam. I contacted pm on why they were not abiding by the RFC : _"[ ... ] we have hundreds of thousand of users who somehow mess up their records and when their mail is silently dropped, they cancel service [ ... ]_" – Xavier59 Nov 23 '19 at 21:50
1

I would initially use p=none like the comment mentioned.

Upon determining the type and amount of e-mails that get flagged I'd then make an analysis and decide if to drop, quarantine or let them through. In case of very small traffic it's easy to make such determination but for heavy traffic it may prove a little more difficult to filter the good from the bad. If you think you may be a target of directed spam attacks and you want to be safer then of course set it on reject and then analyze to see what's being dropped.

Overmind
  • 8,779
  • 3
  • 19
  • 28