By Shehzad Mirza
The GCA DMARC Setup Guide has been updated to include a DMARC rating level for your domain. Why? What does this mean?
Based upon the data from site usage, many people remain at the lowest DMARC policy level of ‘none’. Approximately 80% of Setup Guide users have implemented DMARC at level ‘none’ and have remained at that level for the past several months. Even worse, many of them have not enabled reporting, which means they are getting no benefit from implementing DMARC at all. DMARC’s policy level ‘none’ has no impact on message delivery and is meant for monitoring purposes only – to determine if DKIM, SPF or domain alignment needs to be adjusted. However, that can not be done unless the entity receives reports and analyzes them for issues. There is a lot of valuable information for an organization’s IT and security staff in those reports! At a bare minimum, it is critical that these organizations enable reporting to monitor activity and adjust. After a reasonable monitoring period, we strongly urge them to raise their policy level to “quarantine,” and ultimately to “reject” and continue to review the aggregate reports as needed.
The purpose of the new rating level in the Setup Guide is to highlight for a user the policy level of their domain and encourage reporting and eventual implementation of the highest possible DMARC level of “reject.”
Please test your domain and tell us what you think! Even better, if you’re not already at “reject,” move your level up today!