I'm trying to understand the implications of setting my DMARC policy to "reject". I know that DMARC essentially defines what should happen to emails that don't comply with security standards, but what exactly occurs when I set my policy to anything other than "none"? I'm aware that reports are generated for forensic purposes, but who exactly creates them and where do those reports go? If I set the policy to "reject", do I need to take any specific actions? I honestly don't want to dive into yet another toolkit just to manage these reports. Also, does a simple DNS entry with a "reject" policy suffice to meet Gmail's standards? They've flagged our emails as non-compliant, particularly with SPF and DKIM, despite other test services indicating everything is fine. Since we run a self-hosted mail system with Postfix, Dovecot, and OpenDKIM, I'm puzzled as to why Gmail is rejecting our messages, especially given that we don't engage in bulk emailing.
4 Answers
The receiving servers recognize your DMARC policy. If they see "reject", it signals them to reject any messages lacking a valid signature. Gmail has become stricter in interpreting these settings, and if your DMARC, SPF or DKIM are misconfigured, they'll treat your emails as spam even if your other compliance tests look okay. Your setup for self-hosted services might raise some flags, especially if there are occasional non-compliant emails getting sent from your domain.
To start off, DMARC is primarily about authentication, not just mail flow. If your emails aren't SPF and DKIM compliant, setting DMARC to "reject" means that recipient servers might drop your emails into spam or even ignore them altogether. I recommend using a tool like dmarcian for handling the reports; you can set up an email address in your DMARC record for receiving them. Ensure all your email services publish and sign their DKIM keys in your DNS. Likewise, check that the IP addresses match for SPF. It's wise to monitor your DMARC settings before going full "reject" so you can identify any compliance issues first.
Ultimately, it's up to the receiving servers how they interpret your DMARC settings. If you set DMARC to reject and don’t collect reports, that’s your call, though they come in a compressible digest format. And just a heads up: Gmail now requires a minimum setting of "quarantine" instead of "none".
That’s not quite right. Gmail still accepts "none", but they do require that you implement some form of DMARC now.
When you configure DMARC, you set the DKIM and SPF records and decide how to handle messages that fail those checks. Your DMARC policy tells receiving servers what to do with non-compliant messages. They'll usually send reports to the address in your DMARC record, but you'll need some software to make sense of those reports. I suggest starting with "none" to see how your emails are doing before moving to "reject", which you can incrementally adjust based on compliance. This way, you can catch any non-compliant services before fully enforcing the policy.
Yeah, if your DMARC shows "none" and you’re compliant, then you shouldn’t get reports about non-compliant mails. Plus, if you strictly control who can send from your server via dovecot, there shouldn’t be any legitimate relays misusing it.