3

Under this FAQ it says that using policy=none is a way for domain owners to monitor forged emails, without having to set up SPF/DKIM. But what im wondering, because i dont fully understand what SPF/DKIM itself does, is: What is the point of having SPF/DKIM set up, but not having a policy defined for DMARC? When i check my example companies domain on https://www.dmarcanalyzer.com/dmarc/dmarc-record-check/ it shows p=none (and also ruf=mailto:;, but thats unrelated i guess).

So far so good - but checking

https://www.dmarcanalyzer.com/dkim/dkim-checker/ shows This seems to be a valid DKIM Record. &1024RSA key and https://www.dmarcanalyzer.com/spf/checker/ shows We did not find problems with your SPF record.

So, if you do have SPF and DKIM set up, but no policy for DMARC - what happens? SPF validates if the sender is authorized to use the domain (sender field) it pretends to send from. DKIM protects the mails body via an encrypted signature. None of them protect from spoofing the From field. What could be a reason to use a none policy, if SPF and DKIM are already set up? Is it a bad idea for the example company to not have a policy defined? As far as i understand, not having a policy doesnt directly affect the company itself, but rather ensures that other useds outside of the company do not recieve forged mail in the companies name

Flying Thunder
  • 267
  • 1
  • 2
  • 6

2 Answers2

3

First, there is a difference between having no DMARC policy and having a policy of p=none. No DMARC policy happens when there is no valid DMARC setting for the domain configured in DNS. But this case is not what you are asking about in your question.

Instead you are asking about having a DMARC policy of none. Such a DMARC policy says, to do all DMARC validations but not to take any actions which might influence the delivery of the mail. This means it will write an Authentication-Results header, it will send DMARC reports, but it will not reject or quarantine a mail.

This kind of policy is typically employed to get visibility into attempted mail spoofing (i.e. get reports) and to detect configuration problems which might have blocked valid mails if the policy would have been reject or quarantine. The idea is that after some time these configuration problems will be solved so that the policy can be moved to a more strict one.

Steffen Ullrich
  • 184,332
  • 29
  • 363
  • 424
2

DMARC does two things:

  1. It informs you about what mail lacks verifiable SPF and DKIM (with From header alignment)
  2. It allows you to block mail from your domain that is neither SPF-approved nor DKIM-signed

When DMARC triggers, there are two actions:

  • Its policy dictates an action depending on p=none or p=quarantine or p=reject
  • Reports are sent depending on rua=mailto:aggregate@… and ruf=mailto:forensic@…

If you do not use SPF or DKIM but you do have DMARC with rua=… and/or ruf=…, you'll get reports for every message that claims to be from your domain. This can be useful for auditing purposes.

If you want to use DMARC to stop or reduce mail claiming to be from your domain, you'll need to set up SPF and/or DKIM. The advice for setting this up is to start with a system you think is right and use p=none until you are satisfied that none of the reports contain any servers you may have forgotten or partners that may need inclusion. Then you upgrade to p=quarantine and then you upgrade to p=reject.

It's all about reducing false positives.

Adam Katz
  • 9,718
  • 2
  • 22
  • 44
  • That use case makes sense- but i wonder if it is really intentional for auditing the system, why example company did `ruf=mailto:;` instead of looking at that part of the reports too... Perhaps they already know that their service cant use it – Flying Thunder Aug 24 '21 at 15:20
  • 1
    `ruf` (forensic reports with full message content) is generally unsupported nowadays due to privacy concerns, so it's not surprising to see it configured improperly. It's `rua` (aggregate reports of just message metadata) that matters. – Adam Katz Aug 24 '21 at 15:27