Gradual DMARC Rollout

Over on twitter Alwin de Bruin corrected me on an aspect of DMARC soft rollout I’d entirely forgotten about. It’s useful, so I thought I’d write a quick post about it.

If you have a large mail stream and you want to avoid the Scary Red Flag Day when you turn on DMARC p=reject enforcement and wait for people to complain you can use the DMARC policy “pct=” tag to roll our enforcement gradually instead.

“pct=” lets you set a percentage of your mail stream, between 0 and 100, you’d like receiving ISPs to enforce your DMARC policy for. Each time the ISP receives an email claiming to be from you they’ll check to see if the mail is authenticated as coming from you, by having valid SPF or DKIM. If it’s not authenticated then the ISP will send you reports about it, if you asked them to in your DMARC record, and then they’ll randomly decide whether to enforce delivery policy based on the “pct=” value you set. With “pct=10”, they’ll enforce the policy on about 10% of the emails it might apply to. With “pct=50” they’ll enforce it on about half, and so on.

If they roll the dice and it says they shouldn’t enforce the policy on this particular email they’ll instead use the next less severe policy. For a DMARC policy record containing “p=reject; pct=10” they’ll randomly reject one in ten non-authenticated emails claiming to be from you and quarantine the remaining 90%. With “p=quarantine; pct=10” they’ll quarantine one mail in ten, and deliver the rest.

(Or that’s how they’d treat the DMARC part of their delivery decision, anyway. Other delivery policies will apply, and some will override the DMARC request. So, no, publishing a DMARC record that says “p=quarantine; pct=0” won’t get your spam to the inbox.)

So I could start rolling out DMARC like this:

p=none“: I don’t want any DMARC enforced, but I’d like reports on every mail that isn’t authenticated.

p=quarantine; pct=5“: I still want reports, and I’d like about 5% of non-authenticated mail to be quarantined. See if anyone complains.

p=quarantine; pct=25“: OK, I still want reports, and quarantine a quarter of non-authenticated mail. Does anyone notice?

p=quarantine“: I’m pretty sure everything is set up right, so quarantine anything non-authenticated claiming to be from me. And, yes, still send reports.

p=reject; pct=5“: Maybe people are just pulling their wanted mail out of quarantine? Please reject about 5% of non-authenticated mail, and quarantine the rest. And more reports, please!

p=reject; pct=50“: They should notice this. For each non-authenticated email flip a coin. Heads it’s rejected, tails it’s quarantined. And I’m still reading your reports.

p=reject“: We got here eventually. Please reject any non-authenticated mail claiming to be from me. And I still like your reports.

Related Posts

Good morning DMARC

I’m thinking I may need to deploy DMARC report automation sooner rather than later.

Read More

The feds are deploying DMARC

The US National Cybersecurity Assessments & Technical Services Team have issued a mandate on web and email security, including TLS+HSTS for web servers, and STARTTLS+SPF+DKIM+DMARC for email.
It’s … pretty decent for a brief, public requirements doc. It’s compatible with a prudent rollout of email authentication.

Read More

About that DMARC "exploit"

A security researcher has identified a rendering flaw that allows for “perfect” phishing emails. From his website:

Read More