DMARC Policy Strength

What This Check Does

The DMARC Policy Strength check examines your DMARC record to verify that the policy is not set to "p=none" without a subdomain policy override (sp=quarantine or sp=reject). A DMARC policy of "p=none" only monitors email authentication failures without taking any enforcement action, leaving your domain vulnerable to spoofing.

DNS Spy reads your _dmarc TXT record and evaluates the "p" tag. If it finds "p=none" with no stronger subdomain policy, this check fails.

Why It Matters

DMARC (Domain-based Message Authentication, Reporting & Conformance) is designed to prevent email spoofing and phishing. However, a policy of "p=none" is essentially monitoring-only — it tells receiving mail servers to deliver spoofed emails anyway, just send reports about them. This provides visibility but zero protection against attackers sending fraudulent emails from your domain.

While "p=none" is acceptable during initial DMARC deployment to gather data, it should be transitioned to "p=quarantine" or "p=reject" as quickly as possible. Leaving it at "p=none" indefinitely defeats the purpose of DMARC.

NIST SP 800-81, Section 6, addresses email security best practices. Enforcing DMARC policies is a key component of protecting your domain against email-based attacks. DNS Spy helps you identify and strengthen weak DMARC policies.

NIST SP 800-81 Compliance

Section 6 of the NIST Secure DNS Deployment Guide covers email security, emphasizing the importance of authentication mechanisms like DMARC. An enforced DMARC policy (quarantine or reject) is essential for compliance. DNS Spy monitors your DMARC policy strength and alerts you when it falls below recommended enforcement levels.

Good vs. Bad Configuration

Bad Configuration

v=DMARC1; p=none; rua=mailto:dmarc@example.com — This only monitors without enforcement. Spoofed emails will still be delivered to recipients.

Good Configuration

v=DMARC1; p=reject; rua=mailto:dmarc@example.com; ruf=mailto:dmarc-forensic@example.com — This tells receiving servers to reject emails that fail DMARC authentication, providing strong protection against spoofing.

How DNS Spy Monitors This

DNS Spy checks your _dmarc TXT record during each monitoring cycle, evaluating both the main policy (p=) and subdomain policy (sp=) tags. If the policy is set to 'none' without a stronger subdomain override, an alert is triggered. DNS Spy tracks policy changes over time, helping you verify that your DMARC enforcement is progressing from monitoring to full enforcement.