DMARC policy at p=quarantine or stricter
Demonstrate that the organization has published a DMARC DNS record with a policy set to 'p=quarantine' or 'p=reject' for all organizational email domains, ensuring email authentication enforcement against spoofing and phishing attacks.
Description
What this control does
DMARC (Domain-based Message Authentication, Reporting and Conformencing) is an email authentication protocol that builds on SPF and DKIM to prevent email spoofing and phishing attacks using an organization's domain. A DMARC policy of 'p=quarantine' instructs receiving mail servers to treat unauthenticated messages as suspicious and place them in spam/junk folders, while 'p=reject' causes outright rejection. This control ensures that unauthorized actors cannot send emails that appear to originate from the organization's domain, protecting both the organization's brand reputation and its email recipients from phishing campaigns.
Control objective
What auditing this proves
Demonstrate that the organization has published a DMARC DNS record with a policy set to 'p=quarantine' or 'p=reject' for all organizational email domains, ensuring email authentication enforcement against spoofing and phishing attacks.
Associated risks
Risks this control addresses
- Attackers impersonate the organization's domain in phishing emails to target customers, partners, or employees, leading to credential theft or malware delivery
- Business email compromise (BEC) attacks succeed because receiving mail servers accept spoofed emails claiming to originate from executive or finance personnel
- Brand reputation damage occurs when fraudulent emails sent from spoofed domains erode trust in legitimate organizational communications
- Regulatory non-compliance or customer contract violations when email authentication controls are absent or insufficiently enforced
- Lack of visibility into unauthorized use of organizational domains due to missing DMARC aggregate and forensic reporting mechanisms
- Email deliverability issues remain undetected when SPF or DKIM misconfigurations exist but no DMARC monitoring is in place
Testing procedure
How an auditor verifies this control
- Obtain a complete inventory of all organizational email domains and subdomains used for sending email, including primary domains, regional domains, and marketing subdomains.
- Perform DNS TXT record lookups for '_dmarc.[domain]' on each identified domain using tools such as dig, nslookup, or online DMARC checkers.
- Extract and document the complete DMARC record for each domain, recording the policy tag ('p='), alignment mode tags ('adkim=', 'aspf='), percentage tag ('pct='), and reporting addresses ('rua=', 'ruf=').
- Verify that the policy ('p=' tag) is explicitly set to either 'quarantine' or 'reject' and not 'none' or absent.
- Confirm that if a percentage tag ('pct=') is present, it is set to 100 or omitted (defaults to 100), ensuring the policy applies to all non-authenticated messages.
- Review DMARC aggregate reports (RUA) from the past 30 days to validate that legitimate mail sources achieve SPF and DKIM alignment and that the quarantine/reject policy is actively enforced by receiving domains.
- Interview email administrators to confirm the process for monitoring DMARC reports, remediating authentication failures, and updating the policy as email infrastructure changes.
- Test the enforcement by attempting to send an email from an external system spoofing the organization's domain and verifying that it is quarantined or rejected by a test receiving mailbox.
Where this control is tested