DMARC rollout guide
DMARC done wrong silently bounces your legitimate mail. Done right, it takes 4–12 weeks. Here's the playbook.
Week 0 — prerequisites
- SPF record exists at the apex domain (use the SPF Checker to confirm).
- DKIM signing is on for every legitimate sender (Google Workspace, M365, SendGrid, etc.).
- You've inventoried every system that sends mail from your domain — including the marketing tool the CMO signed up for in 2019.
Week 1 — publish p=none with reporting
_dmarc.example.com TXT
"v=DMARC1; p=none; rua=mailto:reports@example.com; pct=100"This blocks nothing. It just enables daily aggregate reports from every major receiver. Sign up for a free DMARC report parser (dmarcian, Postmark, Reportify) so you don't drown in raw XML.
Weeks 2–6 — review reports, fix gaps
Look at the reports daily. Every sender legitimately using your domain should show SPF or DKIM (or both) passing AND aligned with your domain. For each one that doesn't:
- Add the missing sender to your SPF includes, or
- Configure DKIM signing for that sender, or
- Stop using them (if they can't authenticate properly in 2024, that's a red flag).
Week 6–8 — move to p=quarantine pct=25, then 50, 75, 100
v=DMARC1; p=quarantine; pct=25; rua=mailto:reports@example.comRamp pct over 2–4 weeks. Watch reports. If a forgotten sender shows up failing, pull back to p=none, fix, retry.
Week 8–12 — move to p=reject
v=DMARC1; p=reject; rua=mailto:reports@example.comNow spoofed mail is bounced, not just junked. Subdomain policy (sp=) inherits unless you override it.
Common gotchas
- Forwarders break SPF. A mailing list that rewrites the From: but keeps the Return-Path will fail SPF. Use ARC-aware receivers or have your list rewrite both.
- 3rd-party senders rotate IPs. Use
include:notip4:so you don't have to manually track changes. - The intern's signup form sends from no-reply@yourdomain.com. Inventory before you publish enforcement.