Having a DMARC record with p=none is like having no DMARC record. Without enforcement (p=none), domain owners only receive data on who is spoofing them; they watch these attackers through reporting tools without doing anything to block them. It is like having an access management system that scans IDs but lets anyone in, even if the ID scan results in an unidentified individual. The DMARC policy identified with a p is the most crucial part of DMARC enforcement because it gives domain owners the ability to specify how they would like to handle emails that fail authentication checks. With DMARC enforcement (p=reject), domain owners can tell email clients to send unauthenticated messages to the spam folder or to block them altogether.

Sometimes the p=none can lead to a negative effect. The image above showcases a flagged message by a mail client that can show to your recipients when you send out an email if you have a DMARC record with p=none.

What are the DMARC policies?

DMARC policies allow domain owners to specify what they wish to happen with emails that fail SPF & DKIM authentication checks.

• p=none — No enforcement; mail that fails authentication is typically delivered.
• p=quarantine — Messages that fail authentication are delivered to spam.
• p=reject — Messages that fail authentication are blocked by mail clients and not delivered. Some receivers honor this request, while others mark failing messages as spam.

p=none is a monitoring mode policy that provides no enforcement, thus leaving a domain spoofable. This policy is used in test mode to troubleshoot any authentication misconfiguration with third-party senders without the risk of losing good email.

To stop phishing and impersonation attacks, you need to set DMARC to enforcement (p=quarantine or p=reject), not p=none.

p=none generates a lot of raw data that could be useful, but the anti-impersonation/phishing benefits of DMARC become activated only at enforcement. At enforcement, only the authorized senders using your domain can send out an email on your behalf; anyone else is sent to the spam or rejected delivery.

In p=none mode, domain owners can use the reports sent by mail clients to identify which IP addresses are trying to use their domain to send fraudulent emails. The information provided through the reports should be turned into actionable insight to get the domain on p=reject, which is the actual technical challenge.

Unfortunately, most companies that attempt DMARC don’t reach enforcement. Around 80% of companies with a published DMARC record are not on p=reject. It is either because they have misconfiguration issues, face technical challenges with their email senders, or have misunderstood DMARC and think having a DMARC record is sufficient for spoofing protection.

Skysnag removes the tedious DNS process from the email authentication protocols by enhancing the records into dynamic formats instead of static DNS records, thus allowing businesses to close this email loophole autonomously while saving hours off of engineers’ time. 

Skysnag is the first fully automated DMARC enforcement software that goes beyond static reporting tools.

DMARC can improve deliverability by helping ISPs make delivery decisions based on the sending domain’s reputation. 

Risks a company faces with no DMARC enforcement:

Email impersonation: With a policy of p=none, attackers can freely impersonate a domain name, allowing anyone to use the domain name to send out an email, putting customers, partners, and other stakeholders at high risk of:

• Financial loss
• Reputation damage

Emails landing in spam (detailed explanation in email, a system not a mystery): Without DMARC enforcement, internet service providers will not be able to identify whether messages are passing or failing authentication, leading to messages ending up in spam.

With the domain being vulnerable to email impersonation and attackers having free access to using your domain, email clients may start flagging your domain, which can have adverse long-term consequences, such as:

• Customers churning
• Inefficient marketing spend

Email, a system not a mystery

Email runs on SMTP code written in 1982. Starting an SMTP server back then was not feasible for anyone. However, starting an SMTP server today can be done within 2 minutes. This has created a loophole that SMTP has always had, email impersonation, whereby an email can be triggered from any domain name by any SMTP server. Email impersonation bypasses security and compliance measures and has a high attack success rate since it comes from the exact domain name. (According to the FBI, losses resulting from these attacks are 46 times bigger than ransomware). You may be a business with no money-associated risks behind such impersonation threats, but have you considered the value of your domain? The value of your domain name decreases over time as attackers can still use your domain freely to send anything to anyone. They may use your domain name to send phishing emails, scam emails, or even emails containing malware. (The last two categories account for 90% of all cybercrime).

So is spam. Not a mystery

The root of spam is the failure to enforce email authentication and DMARC. A domain name that has followed all the necessary best practices and has always landed in the inbox, in theory, has a high email reputation. Therefore, logically, there is no reason why a mail client should ever flag and place your emails into spam, but they might be without DMARC enforcement.

How is this possible?

That domain name might get picked up by a malicious server, which uses it to send mail to random lists because of the high reputation that domain has. Those nasty emails initially land in the inbox, but as sending requests increase, mail clients drive down the reputation of that domain name, eventually flagging emails from that domain as spam.

As these activities cannot be tracked unless the domain owner reads through SMTP requests, authentication requests, and DMARC XML files, domain owners are left clueless about what happened.

One in every three domain names connecting to Skysnag notices more than 100 emails sent from unknown servers in the first 48 hours of connection.

What happens if no action is taken?

In severe cases of unauthorized usage, mail clients go beyond spam and may list your domain name under a blacklist. A blacklist will cause emails to be blocked from reaching most mail clients.

We built Skysnag to put your domain onto enforcement policies with minimal effort. Most of the tools on the market are reporting tools that cannot enforce DMARC, highlighting that enforcement to p=reject is the real challenge you will face. Skysnag is the only software that automates DMARC enforcement. Reporting tools have proved useless, which is why most domains are not enforced.