Hello,
My company use G Suite for sending mail from one domain. We use Gmail via webmail and mobile apps. We do not use any email marketing services, ticking system or mail relay.
I have successfully set up SPF and DKIM for the domain. For DMARC, I set “p=none”.
I have verified the domain in ap.dmarcian.com
I have read some articles about how to rollout DMARC. Most of them recommend I should take DMARCE steps by steps.
E.g starting with “p=none” => analyze the reports => revise => then “p=quarantine” + “pct=10” => revise + increase “pct” => finally p=“reject”.
Frankly, I am not quite FULLY understand those articles. I think those routins are for those companies with complicated email stream, e.g ticketing system + email marketing service + mail relay v.v…
Because my company ONLY send mails using G Suite (via webmail and mobile app), so should I shorten the routin and apply “p=quaratine” or “p=reject” right from beginning?
An incremental ramp up of your policy is typically advised. The point of the pct tag is to tell receivers to only apply your policy to a certain percentage of mail that fails DMARC. This is to mitigate the risk to potential cases where emails are not DMARC compliant, but were not noticed or even reported at all by the data.
Now ultimately you decide how cautious, moderate or aggressive you wish to be with the policy ramp up, and there are certainly factors and reasons valid to use any of these approach, such as your domain being under heavy abuse or facing constant spoofing based phishing attack to your users using your domain.
In the end, consider how risk averse you are, how likely there could be systems used that you may not be aware of (marketing automation is a very common one), then proceed. Unless you face a situation where patience is not something you can afford, I strongly advise leveraging the pct tag to mitigate potential risk to your mail flow.
In the Detail viewer, Forwarders tab, I saw most of forwarders are 0% DMARC compliant.
Only a fews are compliant ~2x percents.
And I saw the value “DKIM survival” appear in all fowarders. So what does it mean? If those forwarders are “DKIM survival”, then why are they not DMARC compliant in the Forwarders tab?
In my Threat / Unknown tab, I saw all sources are 0% compliance. So if I apply “p=reject” or “p=quarrantine”, will those policies cause fowarders “reject” or “quarrantine” emails?
First it helps to understand what we mean by forwarding. Let’s think of a scenario first. The providers used my example are used expressively just as an example and not indicative necessarily of what you would see in your own forwarders landscape.
A user has an outlook.com email address. You send marketing emails to this recipient. One day they decide they are no longer satisfied with outlook.com, and registers a Gmail address. Instead of changing their email address they are subscribed with to your marketing drip, they simply configure the auto-forward of their entire mailbox to Gmail.
The above does one important thing that matters in the context of DMARC. It retains the original From header so that once this user receives mail at Gmail, they know who originally sent it. This means Gmail will authenticate an email sent by your marketing provider, but by using outlook.com’s connecting IP since they did the delivery.
Due to address rewriting schemes, where the return-path is changed to the domain doing the forwarding, SPF largely will not help with DMARC compliance. This means in the majority of cases, only DKIM can help an email which was forwarded potentially still pass DMARC once received at the final destination mailbox. This is because DKIM is a header, and like the From header, it will be retained during this type of forwarding. DKIM survival represents your DKIM compliance with DMARC.
Regarding Threat/Unknown, that is correct. This category contains all data we don’t have an identifying rule for to highlight them as an ESP. Majority of the data you will find there is going to be a form of forwarding, or abuse, or even forwarding of abuse. You can also use the Compliant Filter drop down in the Detail Viewer and choose Impact of Policy if you want to see a view of all emails that would be impacted by any level of enforcement in your DMARC policy ahead of time.