DNS - configure default dmarc policy

[Driesp]

Hi all

I am considering to configure a dmarc policy for all client's domains.
I would like to implement the reject policy as a default dmarc policy for our clients.

I will first contact all clients who have an alternative mx / spf config set up.
And I will first enable DKIM for all domains before configuring dmarc.

I know how to do the technical side of it.
But I was wondering if someone already has 'hands-on' knowledge about doing this on a bigger scale or if it is a bad idea to do so.

gmail.com and hotmail.com have the policy 'none' configured...

Thank you in advance for your insights.
Kind regards
Dries Pattyn

 

[Richard G]

on a bigger scale or if it is a bad idea to do so

I don't know if it's a bad idea, but I doubt it's wise either. I think it would be better to use the quarantaine option instead of reject.
Reason for this is that we still encounter issues where SPF and DKIM lines (both required for DMARC) are not aligned and legit mail is refused. This happens on forwards to/via Microsoft mail.

This issue does not occur forwarding to/via Google/Gmail. It seems Microsoft is rewriting the headers causing the alignment to fail, only on forwarders.
Which might be the reason that Gmail and Microsoft use a "none" policy while they are having an enormous lot of users.
They are the bigger scale and especially choose "none" so there must be a good reason, I wouldn't try to invent the wheel again.

When using a default of quarantaine instead of reject, at least you have the chance for your customers to place the forwarded mail in the spambox instead of it being refused.

I myself as a customer for sure would not like my hosting provider to make such decisions for me. Stronger... I might even want to choose to only use SPF and DKIM and leave DMARC alone.

We don't send over 5K mail/month on any domain so we don't really need DMARC but we also implemented it with "none" and informed the customer about it. Then they can choose themselfs if they want to use some policy and which one they want to use.

P.s. We enabled DKIM by default for everybody already for several years, it wonders me a little that you have not done that yet, and now want to make such harsh switch to even a DMARC reject.

 

[Driesp]

Hi Richard

Thank you
I still should do research before continuing with enabling dmarc for our customers and at what policy.
It is a consideration, I am still researching, hence the question

The reason why DKIM is not yet active is because some might use their own nameservers.
I am currently making a script that only enables DKIM if our nameservers are used and I should make a script that continuously checks if domains change nameservers later on.
I'm not sure what the impact is if our servers sent e-mail with a misconfigured DKIM key, and I would like to prevent this from happening.
And because of that, DKIM is not yet active for everyone.

Thank you for your reply, and I'm looking forward to hearing more about this topic so I can make a decision that benefits our customers and network.
Kind regards
Dries Pattyn