Blog article

  • 8 minutes read
Author Profile Picture
  • Kiara Saloojee
  • DMARC Enthusiast

DMARC Best Practices: From Setup to Enforcement

Shiny Pink And Blue Digital Email Envelope

DMARC best practices overview:

  • SPF and DKIM must be correctly configured before DMARC enforcement is applied.
  • p=none isn’t optional – it’s how you discover every sending source before enforcement.
  • Move through each policy stage only when the report data confirms legitimate emails are passing.
  • Every domain you own is an attack surface – subdomains and parked domains included.
  • p=reject is not the finish line – sending infrastructure changes continuously.

DMARC is an email authentication protocol that builds on SPF and DKIM to give domain owners control over how unauthenticated email is handled. This guide covers the decisions and configurations that determine whether a DMARC deployment provides real protection – or remains stuck at monitoring.

Following DMARC best practices protects your domain from spoofing, supports email deliverability, and creates an auditable authentication posture. The difference between a successful deployment and a stalled one usually comes down to a few key decisions made early in the process.

The first step is knowing where your domain stands. Run a free domain analysis to see what needs attention before you begin.

If you’re at risk of impersonation, one of our experts will be in touch to assist.

DMARC Best Practices: The Complete Checklist

Nail the Foundations Before Touching Policy

SPF and DKIM must be correctly configured across all legitimate sending sources before DMARC enforcement is applied. Correctly configuring both is the first of several DMARC best practices that determine whether enforcement succeeds or stalls. Applying a quarantine or reject policy before both are in place may cause legitimate emails to be quarantined or blocked.

SPF Configuration

A correct SPF configuration means the sending IP is listed in the domain’s SPF record, and the Return-Path domain aligns with the “From” domain the recipient sees. One critical constraint: SPF has a 10 DNS lookup limit. Exceeding it causes SPF failures regardless of whether the sending IP is authorized. SPF flattening resolves this by converting includes into direct IP references.

DKIM Configuration

A correct DKIM configuration means a valid cryptographic signature is present and the signing domain aligns with the “From” domain. If the signature is missing or the domains don’t align, DKIM fails – and DMARC loses one of its two authentication signals.

DMARC Alignment

DMARC only recognizes SPF and DKIM results when their authenticated domains align with the “From” domain. Configuring relaxed alignment (the default) is a DMARC best practice – it allows a subdomain to align with the “From” domain.

DMARC passes when either SPF or DKIM aligns with the “From” domain. A deployment that relies solely on SPF or DKIM is more vulnerable to configuration drift. Configure both.

Set Your Policy to p=none and Configure Reporting

p=none is the correct starting point and a fundamental DMARC best practice. It generates reports without affecting email delivery, giving administrators visibility into every source sending email on behalf of the domain.

Jumping to p=quarantine or p=reject without completing this step is the most common cause of DMARC-related email disruption.

Configure both report types from the start:

  1. Aggregate reports – Aggregate reports summarize authentication results across all traffic, typically every 24 hours. It is the primary tool for mapping infrastructure and tracking enforcement readiness.
  2. Failure reports – Failure reports are generated when an email fails DMARC. Use them to investigate specific failures and identify unauthorized senders. Note that support is inconsistent – Gmail and several other major providers don’t send RUF reports.

Record example:

HostTypeValue
_dmarc.yourdomain.comTXTv=DMARC1; p=none; rua=mailto:dmarc-reports@yourdomain.com; ruf=mailto:dmarc-reports@yourdomain.com; fo=1;

Treat Enforcement as a Journey

Moving from p=none to full enforcement is a staged process. Staged policy progression is one of the most important DMARC best practices – moving too quickly is the most common cause of DMARC-related email disruption. Each stage requires confirmation from the report data that legitimate emails are passing.

The three stages are:

  1. Monitor (p=none) – Emails are delivered normally, and reports are generated. Map all sending sources and confirm SPF and DKIM are passing. Do not move forward until the report data is clean.
  2. Quarantine (p=quarantine) – Failing messages are delivered to Spam or Junk folders. Use this stage to catch sources missed during monitoring. Review failure reports carefully before proceeding.
  3. Reject (p=reject) – Receiving servers block failing messages. This is the goal and the strongest protection against domain spoofing.

p=reject prevents direct domain spoofing. It doesn’t eliminate all phishing – attackers may use lookalike domains or compromised accounts. Treat it as a critical layer, not a complete solution.

Building a review cadence is a DMARC best practice that’s easy to overlook once enforcement is in place. New tools, platforms, and third-party integrations introduce sources that may not be covered by existing authentication.

  • Monthly: Review aggregate report data for new failures or unrecognized sending sources.
  • Quarterly: Audit authentication across all domains and subdomains.
  • Annually: Reassess policy stage and coverage across the full domain portfolio.

Extend Protection to Every Domain

The primary domain is rarely the only attack surface. Extending protection beyond the primary domain is a DMARC best practice that’s frequently ignored – subdomains and parked domains are just as vulnerable to spoofing. Brand reputation depends on protecting all domains.

Subdomains That Send Email

Audit every subdomain that sends email before applying the policy. Use the sp= tag to set an explicit subdomain policy independent of the organizational domain. This allows the parent domain to move to p=quarantine while subdomain sources are still being confirmed.

Non-Sending Subdomains and Parked Domains

These don’t need to send email – and they shouldn’t be able to. Publish a DMARC record set to p=reject and an SPF record that blocks all sending. It is a simple step that closes a commonly exploited gap.

Scale Management as Complexity Grows

Following DMARC best practices doesn’t stop at enforcement. As domain portfolios grow and sending infrastructure becomes more distributed, the volume of report data and the number of sources to track exceed what any team can manage manually.

The failure point is usually visibility. Sources are added without IT’s knowledge, subdomains are missed, and enforcement stalls because no one can confirm what’s still failing and why. Stretched security and IT teams need tools that reduce manual investigation.

Sendmarc’s DMARC Management Platform 

DMARC is more than a DNS record. Effective deployment requires visibility into every sending source, a deliberate path to enforcement, and continuous monitoring.

Sendmarc’s DMARC Management Platform gives security and IT teams the tools to implement DMARC best practices and move from monitoring to enforcement without disrupting operations.

Sendmarc provides:

  • Unified visibility into SPF, DKIM, and DMARC configurations across all domains
  • Automated parsing of aggregate and failure report data
  • Guided enforcement with continuous monitoring across all sending sources
  • Audit trails to support compliance and governance reporting
  • Ongoing optimization beyond initial setup

See how Sendmarc’s DMARC Management Platform gives your team the visibility and control needed to reach p=reject – and maintain it.

Book a demo