DMARC Enforcement Step by Step

Why do most DMARC deployments stall at p=none?

Deploying a DMARC record at p=none is easy. Moving to enforcement is where most organisations stall. The fear is legitimate: a misconfigured enforcement policy can cause real email to be rejected.

But p=none provides no protection. It tells receiving servers “check authentication and report back, but deliver the email regardless.” Your domain remains fully spoofable. Every day you stay at p=none is a day attackers can send email as your domain without consequence.

The path from monitoring to enforcement is systematic and low-risk when done correctly.

Phase 1: How do you audit your email senders? (weeks 1-2)

Deploy DMARC with reporting

If you haven’t already, create a DMARC record:

v=DMARC1; p=none; rua=mailto:[email protected]; fo=1

Collect and analyse reports

DMARC aggregate reports arrive as XML files from receiving servers. Use a reporting service (Postmark DMARC, EasyDMARC, dmarcian) to parse them into a readable dashboard.

Your reports will show:

Passing sources - legitimate senders with correct SPF and DKIM
Failing legitimate sources - your email services that are not properly authenticated
Failing illegitimate sources - spoofed email from unauthorised servers

Fix failing legitimate sources

For each legitimate sender that fails authentication:

SPF: Add the sender’s include or IP to your SPF record
DKIM: Configure DKIM signing in the sender’s admin panel and publish the DNS record
Alignment: Ensure the sender uses your domain (not their own) in the From header, or configure DKIM signing under your domain

Common sources that need attention:

Marketing automation platforms
Helpdesk and support tools
Internal applications that send notifications
Third-party services sending on your behalf (invoicing, HR platforms)
Legacy systems using direct SMTP

How do you begin quarantine enforcement? (Phase 2, weeks 3-4)

Once all legitimate senders pass authentication in your DMARC reports, begin enforcement:

v=DMARC1; p=quarantine; pct=10; rua=mailto:[email protected]; fo=1

The pct=10 tag means only 10% of failing email is quarantined. The other 90% is still delivered normally. This limits the impact of any missed legitimate sender.

Monitor closely

Watch your DMARC reports and check with your team:

Is anyone reporting missing email?
Are any legitimate senders newly failing?
Is quarantined email appearing in recipients’ spam folders?

If issues arise, fix the authentication for the affected sender before proceeding. If everything is clean after a week, increase the percentage.

How do you escalate to full quarantine? (Phase 3, weeks 5-6)

Escalate to 100% quarantine:

v=DMARC1; p=quarantine; pct=100; rua=mailto:[email protected]; fo=1

All email failing authentication is now quarantined (delivered to spam/junk). This is a meaningful security improvement - spoofed email no longer reaches the inbox. But recipients can still find it in spam if they look, so it is not full prevention.

Continue monitoring for another 1-2 weeks.

When do you move to reject? (Phase 4, week 7+)

The final step - full enforcement:

v=DMARC1; p=reject; pct=100; rua=mailto:[email protected]; fo=1

Receiving servers now reject email that fails DMARC authentication outright. It is never delivered - not to inbox, not to spam. Your domain is protected.

Add subdomain policy

Ensure subdomains are also protected:

v=DMARC1; p=reject; sp=reject; pct=100; rua=mailto:[email protected]; fo=1

The sp=reject tag applies the reject policy to all subdomains. Without this, attackers can still spoof anything.yourdomain.com.

How SurfaceLoop handles this

SurfaceLoop tracks your DMARC enforcement status across all domains. It flags domains stuck at p=none, identifies domains without subdomain policies, and validates that SPF and DKIM are correctly configured for all discovered sending sources.

See DNS & Email Spoofing feature →

How do you troubleshoot common DMARC enforcement problems?

Email from a third-party service starts bouncing

The service is not authenticated. Check:

Is the service included in your SPF record?
Does the service sign with DKIM using your domain?
Is the From address using your domain (for DMARC alignment)?

Fix the authentication, then verify with a test email that DMARC passes.

SPF lookup limit exceeded

Adding too many third-party senders pushes you over the 10-lookup limit. Solutions:

Replace include: with direct IP addresses (ip4:) for services with static IPs
Consolidate senders through a single relay
Remove services you no longer use

Forwarded email fails DMARC

Email forwarding often breaks SPF (the forwarder’s IP is not in your SPF record) and sometimes breaks DKIM (if the forwarder modifies the message). This is a known limitation.

Solutions:

Encourage recipients to use email aliases instead of forwarding
Use ARC (Authenticated Received Chain) if your email provider supports it
Accept that some forwarded email will fail - this is the tradeoff for spoofing protection

Reports show unknown sending sources

If your reports show email from servers you don’t recognise passing authentication, investigate immediately. It could be:

A service you forgot about (shadow IT)
An acquired company’s infrastructure
A compromised account or server

How do you maintain DMARC after enforcement?

DMARC enforcement is not a one-time task. Maintain it:

Review reports monthly. Look for new failing sources (someone added a sending service without updating SPF/DKIM).
Update SPF when adding new senders. Make this part of your vendor onboarding checklist.
Audit quarterly. Remove decommissioned services from SPF. Rotate DKIM keys annually.
Monitor all domains. Not just your primary domain - secondary domains, parked domains, and acquired domains all need DMARC enforcement.

Frequently asked questions