Comment by zbentley

When I was junior IT at a smaller place (150ish people), we set up DMARC for the first time in "quarantine" mode. Plan was to eventually set it to full reject but only if folks didn't report issues for a month or so.

While it was in quarantine mode, I asked my boss if we could use it for an object lesson in email trust at our next security training. He said sure, got permission from the CEO, and then an hour before the next quarterly IT security training meeting everyone in the company got an email from the CEO's address saying "URGENT all-hands company meeting, attendance mandatory!" (which came from a Postfix running under my desk, sans DKIM validation record).

In DKIM "quarantine" mode, everyone's Outlook flagged the message with a banner or popup or something saying it was suspicious, I think it also had a prompt to auto-spambox future validation failures. Plenty of folks saw that and/or the Nigerian-prince-style typos I put in the "CEO"'s message. They checked with him or IT, who told them congrats, feel free to head home 30min early after the security training.

The more credulous folks that came to the URGENT all-hands were surprised to find themselves in a regular IT security training, no CEO in attendance. We started off with "so today we are going to talk about phishing, sender forgery, and you...".