Email Security (DMARC+)

From Monitoring to Enforcement — Checklist

Overview

Moving from p=none (monitoring) to p=reject (full enforcement) is the goal of every DMARC deployment. This checklist gives you clear go/no-go criteria at each stage so you never advance prematurely.

Stage 0 — Before you start

You have access to your domain's DNS (or a contact who does)
You have a mailbox to receive DMARC reports (or DMARC+ is configured as your rua= address)
You have a complete list of all services that send email from your domain
Your IT/security team is aware of the DMARC deployment

Stage 1 — Deploy monitoring (`p=none`)

Actions:

SPF record published for your domain
DKIM configured for your primary mail server (Google Workspace or M365)
DMARC record published: v=DMARC1; p=none; rua=mailto:your-address
DMARC+ is receiving and displaying reports

Wait: 7–14 days to collect a representative sample of data.

Go criteria for Stage 2:

You have data showing all your known sending sources
You have identified all sources in the reports (no unrecognised high-volume sources you haven't investigated)

Stage 2 — Fix all legitimate senders

For each sending source identified in Stage 1:

Source identified (which service is this IP?)
SPF configured (include added to your SPF record OR service using custom MAIL FROM subdomain)
DKIM configured (service signs with your domain, DNS record published)
DMARC+ shows this source as passing

Go criteria for Stage 3:

All legitimate sending sources are passing DMARC
DMARC pass rate is consistently above 95% for 7+ days
Remaining failures are from sources you don't use (legacy services, unknown attackers)
SPF record has fewer than 10 lookups

Stage 3 — Quarantine (graduated rollout)

Update DMARC record:

v=DMARC1; p=quarantine; pct=10; rua=mailto:your-address

Wait: 48–72 hours

Check:

No spike in user reports about missing or spam-flagged legitimate email
DMARC+ shows the same passing sources as before

If no issues, increase pct:

pct=25 — wait 48 hours, check
pct=50 — wait 48 hours, check
pct=100 — wait 7 days, check

Go criteria for Stage 4:

p=quarantine; pct=100 has been stable for 7+ days
Zero legitimate emails being quarantined
No new sources appearing in DMARC+ reports that you haven't accounted for

Stage 4 — Reject

Update DMARC record:

v=DMARC1; p=reject; rua=mailto:your-address

Monitor for first 7 days:

Check DMARC+ dashboard daily
Check with key stakeholders (IT helpdesk, marketing, HR) for any delivery issue reports
Compare DMARC pass rates before and after — should be unchanged

You're done. p=reject is the goal. Any email that doesn't pass SPF or DKIM alignment is now rejected.

Stage 5 — BIMI (optional)

Prerequisites:

p=reject has been stable for 30+ days
Your logo is a registered trademark (or in the process)
Your logo meets BIMI SVG requirements (Tiny 1.2, square, filled background)
You have a VMC from DigiCert or Entrust (or are in the application process)

Publish BIMI record:

default._bimi.yourdomain.com  TXT  "v=BIMI1; l=https://yourdomain.com/bimi-logo.svg; a=https://yourdomain.com/vmc.pem"

Ongoing maintenance

Monthly: review DMARC+ Dashboard for new failing sources
Quarterly: audit SPF record (remove unused services, check lookup count)
When adding a new service: configure SPF and DKIM before launch
Annually: rotate DKIM keys
When offboarding a service: remove its SPF include and retire its DKIM record

Emergency rollback procedure

If p=reject causes unexpected delivery failures:

Immediately change to p=quarantine; pct=100
Identify the failing source in DMARC+ (it will show as a new source or one that recently stopped passing)
Fix authentication for that source
Return to p=reject once fixed

Keep your DNS provider's portal bookmarked — fast DNS changes are your rollback mechanism.